Dear Oozie users and developers, As you know, the Apache Software Foundation takes our users' security seriously, and defines sensible release and security processes to make sure potential security issues are dealt with responsibly. These indirectly also protect our committers, shielding individuals from personal liability. Some of this process is necessarily done in private; as we practice responsible disclosure.
We are seeing potential security issues are reported privately to the Oozie PMC, but the PMC currently does not appear to have the bandwidth to triage (and, if necessary, fix and disclose) them. On behalf of the PMC: would anyone be interested in helping out here? If so, please contact priv...@oozie.apache.org with secur...@apache.org in Cc. If you’re using this project in a professional capacity, now would be a good time to campaign to allocate time to participate to keep the project healthy. This is the first step of our more formal security escalation process[0]. If the Oozie project cannot return to a healthy cadence of dealing with security issues, the only responsible decision for the PMC (which is collectively responsible for the oversight of the project) would be to initiate the move to the Attic [1]. Of course we hope this can be prevented. As this message is going to the public mailinglist, please do not share sensitive information in this thread. Kind regards, The ASF Security Team [0] https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation [1] https://attic.apache.org/
