Hi, While I have nothing against this idea, podlings rarely get security reports, and most never get them. Even if it occurred a few times a year, do we want to task all podlings this?
Kind Regards, Justin > On 19 Mar 2025, at 2:07 AM, Shane Curcuru <a...@shanecurcuru.org> wrote: > > PJ Fanning wrote on 3/6/25 10:02 AM: >> As a concrete proposal, can I suggest adding a question to the podling >> report. > > Thanks for moving this to something concrete. Note as a general concept, I > support this idea. Beefing up our documented processes around security > handling is important, especially with legislation like the CRA coming our > way in the future. > >> Something like: >> Is the podling PPMC being responsive to email threads on the private mailing >> list (don't discuss specific instances here because the threads are private)? > > This is a good start, but I would definitely expand this to ask about > security issues in specific, because that is the critical factor in project > governance. > > At the other end of the lifecycle, the defining factor of "Should the board > force this dormant project into the Attic" is most often expressed as "Does > this PMC still have three PMC members who could respond to a new security > issue and push a release with a fix?" > > We should also ensure that PPMCs are made aware of Security requirements for > TLPs, and how to handle vulnerabilities: > > https://www.apache.org/security/committers.html > >> I know this is a long winded question that really only expects a yes/no >> answer or something like: >> The PPMC has become less responsive recently. I will reach out to PPMC >> members to see if they can devote some more time to the private threads. >> The idea of the question is to act as a reminder of the importance of the >> private email threads. > > True - along with a reminder about including private information in any board > reports (podling or TLP). A template answer here might be like this, to show > that including a public answer to the question is important, but reminding > people to use <private> markers for things that should not be made public in > minutes. > > ---- > Yes, the PPMC has been regularly reviewing private@ threads for activity > lately. > <private> > The PPMC identified one incoming security report as invalid, and is > investigating a second security report to see if we need a CVE. (or > something like that) > </private> > ---- >> It would also be good if the shepherds also check the private threads when >> reviewing podling reports and report if they think there is a responsiveness >> issue. > > > -- > - Shane > Member > The Apache Software Foundation > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
