As a concrete proposal, can I suggest adding a question to the podling report.
Something like: Is the podling PPMC being responsive to email threads on the private mailing list (don't discuss specific instances here because the threads are private)? I know this is a long winded question that really only expects a yes/no answer or something like: The PPMC has become less responsive recently. I will reach out to PPMC members to see if they can devote some more time to the private threads. The idea of the question is to act as a reminder of the importance of the private email threads. It would also be good if the shepherds also check the private threads when reviewing podling reports and report if they think there is a responsiveness issue. On 2025/01/26 07:42:16 Jean-Baptiste Onofré wrote: > Hi > > This is a good proposal. As part of the new reporting tool for > project, it's a security section is part of the report. > > So, it makes sense to have it for podlings. > > Regards > JB > > On Fri, Jan 24, 2025 at 2:35 PM PJ Fanning <fannin...@gmail.com> wrote: > > > > Hi everyone, > > > > I didn't follow up on this when I raised it in December 2023. I'd like > > to propose it again. > > Basically, the idea is that the podling reports, that we do every 3 > > months, would have a question about whether the podling believes that > > they are being sufficiently responsive to issues raised on their > > private mailing list (particularly security issues). There would maybe > > also be a reminder about the ASF policies related to dealing with > > disclosures about vulnerabilities [1]. > > I would also like to see a section about this in the Graduation Report > > - having podlings declare that they have been and intend to continue > > to be responsive to disclosures about vulnerabilities. This is covered > > by QU30 in the Project Maturity Model [2] but I wonder if the text > > could be adjusted to also mention the need to be responsive to > > vulnerability reports. > > With efforts like the CRA [3] and other regulatory requirements around > > the world, this area is becoming even more important. > > > > What do people think? > > > > Thanks, > > PJ > > > > [1] https://www.apache.org/security/ > > [2] > > https://community.apache.org/apache-way/apache-project-maturity-model.html#quality > > [3] https://en.wikipedia.org/wiki/Cyber_Resilience_Act > > > > On Wed, 13 Dec 2023 at 16:21, Craig Russell <apache....@gmail.com> wrote: > > > > > > Hi PJ, > > > > > > I agree that there should be a section in podlings' reports that > > > highlights <private/> security issues. > > > > > > Regards, > > > Craig > > > > > > > On Dec 13, 2023, at 05:22, PJ Fanning <fannin...@apache.org> wrote: > > > > > > > > Hi everyone, > > > > > > > > I'm wondering if podlings should include some details about their > > > > security issues [1] in their 3 podling reports. We won't want to > > > > release information about any security issues that are still under > > > > investigation or where the fix is not yet released. I still think > > > > there is little harm in podlings giving high level numbers and maybe > > > > some indication of how quickly security issues are being dealt with. > > > > > > > > I've seen evidence that some TLPs are unaware of the importance of > > > > dealing quickly with security reports and I think the Incubator team > > > > could help with ensuring that podlings are aware of the requirements. > > > > > > > > I will certainly be having a close look at a podling's record of > > > > handling security reports when it comes to discussions about > > > > graduation. > > > > > > > > I'm wondering if we could have some consensus on what is expected of > > > > podlings. > > > > > > > > Regards, > > > > PJ > > > > > > > > [1] https://www.apache.org/security/ > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > > > > Craig L Russell > > > c...@apache.org > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
