Hi Craig
At dayjob this has been part of a antivirus solution we have in production
use for long. It scans computers, knows software and versions, knows what
is running and aligns that with CVEs. Don't know if that is already
scraping SBOMS to gain a better picture about the software. Since it is
ARC is categorized experimental and, according to the linked documentation
page, purely relies on the trust of the recipient into the sending
intermediate domain. This boils down to whitelists and that got problems to
become scalable.
Tampering with SPF/DKIM signatures is, in my perception, no lon
I agree and wanted to point out, we could recommend projects to have clear
communication about what consumers can expect from their products. That
promise should be a close match to reality. The promise probably would have
to be kept up to date as time passes by and "things change".
On Thu, 17 Oct
Talking about LTS.. Something I perceive as a great feat is a well defined
lifecycle definition, even without any special labels like LTS. See ubuntu
for reference:
https://ubuntu.com/about/release-cycle
With a well defined lifecycle definition consumers can think about and plan
the future in the
Gary, I can well remember those days. I think we were able to handle it
quite well even if we had no disaster recovery plan at hands. However, that
was a zero day exploit in the wild.
Unfortunately, directed attacks are a lot nastier. Imagine a mail bot
spamming all mailbox to the storage limit wi
If attackers are able to publish abusive asf software products and shut
down asf to coordinate a fixing software release, we can safely assume that
attackers are also in control of whatever information is available in
private svn. It is probable that a well known PMC members identity is being
imper
Binary files are fine to me if provenance and purpose is documented and
auditable. The same applies to code.
It is troublesome if nobody checks neither provenance nore purpose. But
that equally applies for code. Code can contain hidden malicious algorithms.
That said, code that generates binary c
ts used in a Command ('Command
> > Injection') vulnerability in Apache Software Foundation Apache Airflow,
> > Apache Software Foundation Apache Airflow MySQL Provider.This issue
> affects
> > Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before
> 4.0.0.
Agree. And in this case the tagged source git repository cannot contain the
security information in the release. It can only be added later with
another commit.
Further, adding documentation that outlines attack vectors to black hats is
a no go for me.
Consumers tend to not update their dependenc
Hi
This is a related good read:
https://yarchive.net/comp/linux/security_bugs.html
TLDR; a developes time is better invested in fixing more issues than
tagging any commit that is somehow a security related. Pushing the bar
further: would a fix of a blue screen crash be any less important than a
SBOMs appear to be the solution, allowing introspection and thus provide a
way for building automated tools that can answer tough questions, i.e.
regarding IT security. As of the format, I would stick with the ISO
standard: SPDX.
--
Sent from my phone. Typos are a kind gift to anyone who happens to
Hi
I followed the white house meeting, am member of the Logging PMC and was
involved in the log4j happenings in late december. I am however not one of
the log4j developers.
Let me know if I can help in any way. Most of this sounds like what we
already worked out for the white house meeting.
Happ
o anyone who happens to find
them.
On Mon, Jan 17, 2022, 02:20 Sam Ruby wrote:
> On Sun, Jan 16, 2022 at 6:59 PM Gilles Sadowski
> wrote:
>
> > Le dim. 16 janv. 2022 à 22:27, Sam Ruby a
> écrit :
> > >
> > > On Sun, Jan 16, 2022 at 1:49 PM Dominik Psenner
I have no intention to tear apart the document. I am dealing with non
technical fellows on a daily basis and from my experience the document
still too technical.
Could a comparison with a house be of help? A house is something specially
made according to the specifications of the owner and adapted
2fa is a great thing because it hardens the authentication process! The two
factors can be many things. I propose to use a framework that allows great
flexibility and serves as a identity provider with a single sign on
service. The sso service could allow for many convenient two factors, i.e.
Otp,
Awesome work everyone! Just now I noticed an important key point that may
has slipped through:
Built into the "genes" of every project is that we (the ASF) make software
for the public good, at no charge and free to use for everyone.
--
Sent from my phone. Typos are a kind gift to anyone who happ
Hi Sam,
Thanks for putting this together. I broadly agree and like to add notes as
follows.
There is more to contributions than just changes to the codebase with
commits. There are contributors (like me) who act in the "background" by
digging through moderation queues, respond to general question
--
Sent from my phone. Typos are a kind gift to anyone who happens to find
them.
On Thu, Dec 23, 2021, 23:08 Phil Steitz wrote:
>
> On 12/23/21 2:59 PM, security-discuss-h...@community.apache.org wrote:
> > Hi! This is the ezmlm program. I'm managing the
> > security-discuss@community.apache.org
18 matches
Mail list logo
