Re: podling security issues

Tue, 18 Mar 2025 08:07:57 -0700 

PJ Fanning wrote on 3/6/25 10:02 AM:

As a concrete proposal, can I suggest adding a question to the podling report.



Thanks for moving this to something concrete.  Note as a general 
concept, I support this idea.  Beefing up our documented processes 
around security handling is important, especially with legislation like 
the CRA coming our way in the future.



Something like:
Is the podling PPMC being responsive to email threads on the private mailing 
list (don't discuss specific instances here because the threads are private)?



This is a good start, but I would definitely expand this to ask about 
security issues in specific, because that is the critical factor in 
project governance.



At the other end of the lifecycle, the defining factor of "Should the 
board force this dormant project into the Attic" is most often expressed 
as "Does this PMC still have three PMC members who could respond to a 
new security issue and push a release with a fix?"



We should also ensure that PPMCs are made aware of Security requirements 
for TLPs, and how to handle vulnerabilities:


  https://www.apache.org/security/committers.html


I know this is a long winded question that really only expects a yes/no answer 
or something like:
The PPMC has become less responsive recently. I will reach out to PPMC members 
to see if they can devote some more time to the private threads.

The idea of the question is to act as a reminder of the importance of the 
private email threads.



True - along with a reminder about including private information in any 
board reports (podling or TLP).  A template answer here might be like 
this, to show that including a public answer to the question is 
important, but reminding people to use <private> markers for things that 
should not be made public in minutes.


----

Yes, the PPMC has been regularly reviewing private@ threads for activity 
lately.

<private>

The PPMC identified one incoming security report as invalid, and is 
investigating a second security report to see if we need a CVE.  (or 
something like that)

</private>
----

It would also be good if the shepherds also check the private threads when 
reviewing podling reports and report if they think there is a responsiveness 
issue.



--
- Shane
  Member
  The Apache Software Foundation

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org


























					Reply via email to