Hi everyone, I didn't follow up on this when I raised it in December 2023. I'd like to propose it again. Basically, the idea is that the podling reports, that we do every 3 months, would have a question about whether the podling believes that they are being sufficiently responsive to issues raised on their private mailing list (particularly security issues). There would maybe also be a reminder about the ASF policies related to dealing with disclosures about vulnerabilities [1]. I would also like to see a section about this in the Graduation Report - having podlings declare that they have been and intend to continue to be responsive to disclosures about vulnerabilities. This is covered by QU30 in the Project Maturity Model [2] but I wonder if the text could be adjusted to also mention the need to be responsive to vulnerability reports. With efforts like the CRA [3] and other regulatory requirements around the world, this area is becoming even more important.
What do people think? Thanks, PJ [1] https://www.apache.org/security/ [2] https://community.apache.org/apache-way/apache-project-maturity-model.html#quality [3] https://en.wikipedia.org/wiki/Cyber_Resilience_Act On Wed, 13 Dec 2023 at 16:21, Craig Russell <apache....@gmail.com> wrote: > > Hi PJ, > > I agree that there should be a section in podlings' reports that highlights > <private/> security issues. > > Regards, > Craig > > > On Dec 13, 2023, at 05:22, PJ Fanning <fannin...@apache.org> wrote: > > > > Hi everyone, > > > > I'm wondering if podlings should include some details about their > > security issues [1] in their 3 podling reports. We won't want to > > release information about any security issues that are still under > > investigation or where the fix is not yet released. I still think > > there is little harm in podlings giving high level numbers and maybe > > some indication of how quickly security issues are being dealt with. > > > > I've seen evidence that some TLPs are unaware of the importance of > > dealing quickly with security reports and I think the Incubator team > > could help with ensuring that podlings are aware of the requirements. > > > > I will certainly be having a close look at a podling's record of > > handling security reports when it comes to discussions about > > graduation. > > > > I'm wondering if we could have some consensus on what is expected of > > podlings. > > > > Regards, > > PJ > > > > [1] https://www.apache.org/security/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > Craig L Russell > c...@apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
