Thanks Calvin for your response. Maybe we could start by having the ASF Security team track progress on reported issues - as they already do. In the Incubator public reporting, we would not disclose anything other than self reporting that the PPMC feels confident that they are in a good position to deal with issues and follow the ASF Security process.
Maybe the Incubator shepherds could independently check this too. I'm open to forming a consensus on the right level of reporting. When it comes to graduating, I would like to be able to vote -1 for podlings who appear not to be following the security process. On Fri 24 Jan 2025, 16:11 Calvin Kirs, <k...@apache.org> wrote: > I completely agree with this proposal, even though some podlings rarely > encounter security issues during incubation. (This may change as they > transition to TLP status and gain more visibility.) However, understanding > and recognizing the importance of security issues is also something > podlings need to learn during the incubation period. > > If podlings are required to report existing security issues and their > progress, how should this be done? Through private@i.a.o? Currently, our > reports are fully public. > > In the final board submission, the Incubator will also need to provide a > consolidated private report on security issues. This report should include > the number of security issues and identify any podlings that are in an > unhealthy state regarding their handling of security problems. > > That said, the successful submission of this report will likely rely > heavily on the efforts of shepherds and mentors. > > On Fri, Jan 24, 2025 at 9:36 PM PJ Fanning <fannin...@gmail.com> wrote: > > > Hi everyone, > > > > I didn't follow up on this when I raised it in December 2023. I'd like > > to propose it again. > > Basically, the idea is that the podling reports, that we do every 3 > > months, would have a question about whether the podling believes that > > they are being sufficiently responsive to issues raised on their > > private mailing list (particularly security issues). There would maybe > > also be a reminder about the ASF policies related to dealing with > > disclosures about vulnerabilities [1]. > > I would also like to see a section about this in the Graduation Report > > - having podlings declare that they have been and intend to continue > > to be responsive to disclosures about vulnerabilities. This is covered > > by QU30 in the Project Maturity Model [2] but I wonder if the text > > could be adjusted to also mention the need to be responsive to > > vulnerability reports. > > With efforts like the CRA [3] and other regulatory requirements around > > the world, this area is becoming even more important. > > > > What do people think? > > > > Thanks, > > PJ > > > > [1] https://www.apache.org/security/ > > [2] > > > https://community.apache.org/apache-way/apache-project-maturity-model.html#quality > > [3] https://en.wikipedia.org/wiki/Cyber_Resilience_Act > > > > On Wed, 13 Dec 2023 at 16:21, Craig Russell <apache....@gmail.com> > wrote: > > > > > > Hi PJ, > > > > > > I agree that there should be a section in podlings' reports that > > highlights <private/> security issues. > > > > > > Regards, > > > Craig > > > > > > > On Dec 13, 2023, at 05:22, PJ Fanning <fannin...@apache.org> wrote: > > > > > > > > Hi everyone, > > > > > > > > I'm wondering if podlings should include some details about their > > > > security issues [1] in their 3 podling reports. We won't want to > > > > release information about any security issues that are still under > > > > investigation or where the fix is not yet released. I still think > > > > there is little harm in podlings giving high level numbers and maybe > > > > some indication of how quickly security issues are being dealt with. > > > > > > > > I've seen evidence that some TLPs are unaware of the importance of > > > > dealing quickly with security reports and I think the Incubator team > > > > could help with ensuring that podlings are aware of the requirements. > > > > > > > > I will certainly be having a close look at a podling's record of > > > > handling security reports when it comes to discussions about > > > > graduation. > > > > > > > > I'm wondering if we could have some consensus on what is expected of > > podlings. > > > > > > > > Regards, > > > > PJ > > > > > > > > [1] https://www.apache.org/security/ > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > > > > Craig L Russell > > > c...@apache.org > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > -- > Best wishes! > CalvinKirs >
