I don't want to share numbers on a public forum but I just counted up the number of podlings with active or recent security reports and it seems things are not that rosy. It seems to me that podlings are about as likely to get issues reported as ASF projects generally. I can post some numbers on the private Incubator mailing list.
On Tue, 18 Mar 2025 at 23:48, Justin Mclean <jus...@classsoftware.com> wrote: > > Hi, > > While I have nothing against this idea, podlings rarely get security reports, > and most never get them. Even if it occurred a few times a year, do we want > to task all podlings this? > > Kind Regards, > Justin > > > On 19 Mar 2025, at 2:07 AM, Shane Curcuru <a...@shanecurcuru.org> wrote: > > > > PJ Fanning wrote on 3/6/25 10:02 AM: > >> As a concrete proposal, can I suggest adding a question to the podling > >> report. > > > > Thanks for moving this to something concrete. Note as a general concept, I > > support this idea. Beefing up our documented processes around security > > handling is important, especially with legislation like the CRA coming our > > way in the future. > > > >> Something like: > >> Is the podling PPMC being responsive to email threads on the private > >> mailing list (don't discuss specific instances here because the threads > >> are private)? > > > > This is a good start, but I would definitely expand this to ask about > > security issues in specific, because that is the critical factor in project > > governance. > > > > At the other end of the lifecycle, the defining factor of "Should the board > > force this dormant project into the Attic" is most often expressed as "Does > > this PMC still have three PMC members who could respond to a new security > > issue and push a release with a fix?" > > > > We should also ensure that PPMCs are made aware of Security requirements > > for TLPs, and how to handle vulnerabilities: > > > > https://www.apache.org/security/committers.html > > > >> I know this is a long winded question that really only expects a yes/no > >> answer or something like: > >> The PPMC has become less responsive recently. I will reach out to PPMC > >> members to see if they can devote some more time to the private threads. > >> The idea of the question is to act as a reminder of the importance of the > >> private email threads. > > > > True - along with a reminder about including private information in any > > board reports (podling or TLP). A template answer here might be like this, > > to show that including a public answer to the question is important, but > > reminding people to use <private> markers for things that should not be > > made public in minutes. > > > > ---- > > Yes, the PPMC has been regularly reviewing private@ threads for activity > > lately. > > <private> > > The PPMC identified one incoming security report as invalid, and is > > investigating a second security report to see if we need a CVE. (or > > something like that) > > </private> > > ---- > >> It would also be good if the shepherds also check the private threads when > >> reviewing podling reports and report if they think there is a > >> responsiveness issue. > > > > > > -- > > - Shane > > Member > > The Apache Software Foundation > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
