Sure, how about here though? https://github.com/apache/spark-website/pull/602
On Mon, Apr 7, 2025 at 9:30 AM Arnout Engelen <enge...@apache.org> wrote: > On Mon, Apr 7, 2025 at 4:16 PM Nicholas Chammas < > nicholas.cham...@gmail.com> wrote: > >> But I will note that that person’s reply to the ASF Security Team’s >> initial comment smells like LLM output. Perhaps I am being unfair to them, >> but I have read reports >> <https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/> >> that >> bug bounties are now getting flooded with credible-looking reports >> generated by AI that simply waste a lot of developer time to check. >> >> And if that’s the case, then unfortunately some extra prose in the >> Security guide is unlikely to help. >> > > Yes and no: I agree that this report is particularly bad and likely > LLM-generated. Nothing will prevent those. That said, having clear "this is > how you decide whether the behaviour you see is problematic" instructions > is still useful in swiftly dealing with those. And who knows a few may even > learn something - we *have* also seen LLM-assisted reports that actually > uncovered legitimate issues (though tbh I'd rather receive someone's broken > English than their LLM's word salad...) > > > Kind regards, > > Arnout > > >> On Apr 7, 2025, at 9:59 AM, Arnout Engelen <enge...@apache.org> wrote: >> >> Hello dev@spark, >> >> Every now and then we get a 'security report' for Spark where the >> reporter is shocked that 'spark', an 'engine for executing', allows users >> to execute things. The latest in this category was >> https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8. >> >> You already have a pretty great >> https://spark.apache.org/docs/latest/security.html, but it might be good >> to add a basic introduction to make explicit that users who are authorized >> to execute can indeed execute code? I'm of course no Spark expert and you >> can likely more clearly describe the security boundaries here. You could >> take inspiration from https://flink.apache.org/what-is-flink/security/ >> or other pages linked from https://security.apache.org/projects/ >> >> >> Kind regards, >> >> -- >> Arnout Engelen >> ASF Security Response >> Apache Pekko PMC member, ASF Member >> NixOS Committer >> Independent Open Source consultant >> >> >> > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
