Hi Arnout, Just letting you know we have heard you, this mail didn't go unnoticed and we are working on getting things in control. I am sharing the context of the current situation as well:
AFAIK the issues which were acknowledged by the Hive Security team as actual bugs in the code are all fixed in the current code & most of them apart from 1(If I am not mistaken), all were released as part of the Hive-4.0 release as well, the only reason they are hanging on us is because we need to release it on all active release lines to formally announce them. We did work in that area & announced Hive-1.x & 2.x as EOL. The only other release line remaining is Hive-3.x, Which I have been talking with folks & we will call it off as well, since we don't have enough volunteers for that release line and no recognizable active development is going on there either. So, as we announce 3.x as EOL mostly post having 4.0.1 release, I think that is "Majority vote by the PMC", so I am pretty sure we will have the numbers to do so. I think immediately after that we would be announcing most of the CVEs. I don't know if there is any way to announce without having it in 3.x (or mark a release line active but not secure or something like that). I think there would be some noise against it, since 3.x does have a good user base, but it doesn't stop them from using it,, just conveys it ain't safe & the best line and the active set of developers aren't focusing on that. I will take that bullet if there is one :-) Regarding responding to issues reported: I skimmed over the security@, As of now I couldn't find any unanswered one. I think there was one, which got answered. Well most of us try to acknowledge ASAP but there are challenges in that area as well, There is so much of SPAM on security@ list, that sometimes some genuine issues get missed in that flood of irrelevant emails, Folks in the community have taken an initiative in that area as well, & discussing on having a secured JIRA + moderating the security@ list & we are exploring that area as well to improve this aspect. So, that should be improved as well, I can't say it would be the best but better for sure. Hope that clarifies the state of the project in terms of security & why the issues aren't getting announced and the work done by the PMC in that area. Open to suggestions if any. Thanks for highlighting this. ++ HIVE private@ in case anyone has any other feedback or shares some different opinions -Ayush On Thu, 15 Aug 2024 at 14:51, Apache Security Team <secur...@apache.org> wrote: > > Hello Hive community, > > The Hive project is struggling to perform its security duties[0]: there are > unusually old security reports that the Hive Security Team / PMC has not > disclosed yet, and triaging new incoming security reports also takes longer > than responsible. This not only falls short of what is expected as an Apache > project, but longer-term could have legal consequences for the ASF and > individual contributors, with legislation such as the CRA coming into force > in Europe and similar measures being expected around the world. > > The ASF Security Team has expressed its concern before, leading to the first > formal escalation step [1] of issuing a call for help on your public > mailinglist [2] back in March, after an earlier call by your PMC in September > [3]. This yielded one volunteer. As far as I can tell the PMC has not > enlisted this volunteer yet. > > If the Hive project cannot return to a healthy cadence of dealing with > security issues, the only responsible decision for the PMC (which is > collectively responsible for the oversight of the project) would be to > initiate the move to the Attic. Of course we hope this can be prevented. > > > Kind regards, > > Arnout Engelen > ASF Security Team > > [0] https://apache.org/security/committers.html > [1] > https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation > [2] https://lists.apache.org/thread/8wghsxdlj8bfygf2ptcdb8pojlvxwjx8 > [3] https://lists.apache.org/thread/j0ztt61wjz9gc46dj6fpor30xh437h9n
