Related, should we ask the podling if all PPMC members (and only PPMC members or invited outsiders) are subscribed to the private mail list?
Craig > On Mar 6, 2025, at 07:02, PJ Fanning <fannin...@apache.org> wrote: > > As a concrete proposal, can I suggest adding a question to the podling report. > > Something like: > Is the podling PPMC being responsive to email threads on the private mailing > list (don't discuss specific instances here because the threads are private)? > > I know this is a long winded question that really only expects a yes/no > answer or something like: > The PPMC has become less responsive recently. I will reach out to PPMC > members to see if they can devote some more time to the private threads. > > The idea of the question is to act as a reminder of the importance of the > private email threads. > > It would also be good if the shepherds also check the private threads when > reviewing podling reports and report if they think there is a responsiveness > issue. > > > On 2025/01/26 07:42:16 Jean-Baptiste Onofré wrote: >> Hi >> >> This is a good proposal. As part of the new reporting tool for >> project, it's a security section is part of the report. >> >> So, it makes sense to have it for podlings. >> >> Regards >> JB >> >> On Fri, Jan 24, 2025 at 2:35 PM PJ Fanning <fannin...@gmail.com> wrote: >>> >>> Hi everyone, >>> >>> I didn't follow up on this when I raised it in December 2023. I'd like >>> to propose it again. >>> Basically, the idea is that the podling reports, that we do every 3 >>> months, would have a question about whether the podling believes that >>> they are being sufficiently responsive to issues raised on their >>> private mailing list (particularly security issues). There would maybe >>> also be a reminder about the ASF policies related to dealing with >>> disclosures about vulnerabilities [1]. >>> I would also like to see a section about this in the Graduation Report >>> - having podlings declare that they have been and intend to continue >>> to be responsive to disclosures about vulnerabilities. This is covered >>> by QU30 in the Project Maturity Model [2] but I wonder if the text >>> could be adjusted to also mention the need to be responsive to >>> vulnerability reports. >>> With efforts like the CRA [3] and other regulatory requirements around >>> the world, this area is becoming even more important. >>> >>> What do people think? >>> >>> Thanks, >>> PJ >>> >>> [1] https://www.apache.org/security/ >>> [2] >>> https://community.apache.org/apache-way/apache-project-maturity-model.html#quality >>> [3] https://en.wikipedia.org/wiki/Cyber_Resilience_Act >>> >>> On Wed, 13 Dec 2023 at 16:21, Craig Russell <apache....@gmail.com> wrote: >>>> >>>> Hi PJ, >>>> >>>> I agree that there should be a section in podlings' reports that >>>> highlights <private/> security issues. >>>> >>>> Regards, >>>> Craig >>>> >>>>> On Dec 13, 2023, at 05:22, PJ Fanning <fannin...@apache.org> wrote: >>>>> >>>>> Hi everyone, >>>>> >>>>> I'm wondering if podlings should include some details about their >>>>> security issues [1] in their 3 podling reports. We won't want to >>>>> release information about any security issues that are still under >>>>> investigation or where the fix is not yet released. I still think >>>>> there is little harm in podlings giving high level numbers and maybe >>>>> some indication of how quickly security issues are being dealt with. >>>>> >>>>> I've seen evidence that some TLPs are unaware of the importance of >>>>> dealing quickly with security reports and I think the Incubator team >>>>> could help with ensuring that podlings are aware of the requirements. >>>>> >>>>> I will certainly be having a close look at a podling's record of >>>>> handling security reports when it comes to discussions about >>>>> graduation. >>>>> >>>>> I'm wondering if we could have some consensus on what is expected of >>>>> podlings. >>>>> >>>>> Regards, >>>>> PJ >>>>> >>>>> [1] https://www.apache.org/security/ >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>>> >>>> >>>> Craig L Russell >>>> c...@apache.org >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: general-h...@incubator.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > Craig L Russell c...@apache.org
