On Mon, Apr 7, 2025 at 4:16 PM Nicholas Chammas <nicholas.cham...@gmail.com> wrote:
> But I will note that that person’s reply to the ASF Security Team’s > initial comment smells like LLM output. Perhaps I am being unfair to them, > but I have read reports > <https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/> > that > bug bounties are now getting flooded with credible-looking reports > generated by AI that simply waste a lot of developer time to check. > > And if that’s the case, then unfortunately some extra prose in the > Security guide is unlikely to help. > Yes and no: I agree that this report is particularly bad and likely LLM-generated. Nothing will prevent those. That said, having clear "this is how you decide whether the behaviour you see is problematic" instructions is still useful in swiftly dealing with those. And who knows a few may even learn something - we *have* also seen LLM-assisted reports that actually uncovered legitimate issues (though tbh I'd rather receive someone's broken English than their LLM's word salad...) Kind regards, Arnout > On Apr 7, 2025, at 9:59 AM, Arnout Engelen <enge...@apache.org> wrote: > > Hello dev@spark, > > Every now and then we get a 'security report' for Spark where the reporter > is shocked that 'spark', an 'engine for executing', allows users to execute > things. The latest in this category was > https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8. > > You already have a pretty great > https://spark.apache.org/docs/latest/security.html, but it might be good > to add a basic introduction to make explicit that users who are authorized > to execute can indeed execute code? I'm of course no Spark expert and you > can likely more clearly describe the security boundaries here. You could > take inspiration from https://flink.apache.org/what-is-flink/security/ or > other pages linked from https://security.apache.org/projects/ > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
