I completely agree with this proposal, even though some podlings rarely encounter security issues during incubation. (This may change as they transition to TLP status and gain more visibility.) However, understanding and recognizing the importance of security issues is also something podlings need to learn during the incubation period.
If podlings are required to report existing security issues and their progress, how should this be done? Through private@i.a.o? Currently, our reports are fully public. In the final board submission, the Incubator will also need to provide a consolidated private report on security issues. This report should include the number of security issues and identify any podlings that are in an unhealthy state regarding their handling of security problems. That said, the successful submission of this report will likely rely heavily on the efforts of shepherds and mentors. On Fri, Jan 24, 2025 at 9:36 PM PJ Fanning <fannin...@gmail.com> wrote: > Hi everyone, > > I didn't follow up on this when I raised it in December 2023. I'd like > to propose it again. > Basically, the idea is that the podling reports, that we do every 3 > months, would have a question about whether the podling believes that > they are being sufficiently responsive to issues raised on their > private mailing list (particularly security issues). There would maybe > also be a reminder about the ASF policies related to dealing with > disclosures about vulnerabilities [1]. > I would also like to see a section about this in the Graduation Report > - having podlings declare that they have been and intend to continue > to be responsive to disclosures about vulnerabilities. This is covered > by QU30 in the Project Maturity Model [2] but I wonder if the text > could be adjusted to also mention the need to be responsive to > vulnerability reports. > With efforts like the CRA [3] and other regulatory requirements around > the world, this area is becoming even more important. > > What do people think? > > Thanks, > PJ > > [1] https://www.apache.org/security/ > [2] > https://community.apache.org/apache-way/apache-project-maturity-model.html#quality > [3] https://en.wikipedia.org/wiki/Cyber_Resilience_Act > > On Wed, 13 Dec 2023 at 16:21, Craig Russell <apache....@gmail.com> wrote: > > > > Hi PJ, > > > > I agree that there should be a section in podlings' reports that > highlights <private/> security issues. > > > > Regards, > > Craig > > > > > On Dec 13, 2023, at 05:22, PJ Fanning <fannin...@apache.org> wrote: > > > > > > Hi everyone, > > > > > > I'm wondering if podlings should include some details about their > > > security issues [1] in their 3 podling reports. We won't want to > > > release information about any security issues that are still under > > > investigation or where the fix is not yet released. I still think > > > there is little harm in podlings giving high level numbers and maybe > > > some indication of how quickly security issues are being dealt with. > > > > > > I've seen evidence that some TLPs are unaware of the importance of > > > dealing quickly with security reports and I think the Incubator team > > > could help with ensuring that podlings are aware of the requirements. > > > > > > I will certainly be having a close look at a podling's record of > > > handling security reports when it comes to discussions about > > > graduation. > > > > > > I'm wondering if we could have some consensus on what is expected of > podlings. > > > > > > Regards, > > > PJ > > > > > > [1] https://www.apache.org/security/ > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > Craig L Russell > > c...@apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > -- Best wishes! CalvinKirs
