Dear Oozie users and developers, As this call for volunteers yielded no responses, and a security roll call to the PMC yielded no responses either, we expect to initiate the Attic process next week.
Kind regards, Arnout Engelen ASF Security On Wed, Oct 30, 2024 at 2:18 PM Apache Security Team <secur...@apache.org> wrote: > Dear Oozie users and developers, > > As you know, the Apache Software Foundation takes our users' security > seriously, and defines sensible release and security processes to make sure > potential security issues are dealt with responsibly. These indirectly also > protect our committers, shielding individuals from personal liability. Some > of this process is necessarily done in private; as we practice responsible > disclosure. > > We are seeing potential security issues are reported privately to the > Oozie PMC, but the PMC currently does not appear to have the bandwidth to > triage (and, if necessary, fix and disclose) them. > > On behalf of the PMC: would anyone be interested in helping out here? If > so, please contact priv...@oozie.apache.org with secur...@apache.org in > Cc. > > If you’re using this project in a professional capacity, now would be a > good time to campaign to allocate time to participate to keep the project > healthy. This is the first step of our more formal security escalation > process[0]. If the Oozie project cannot return to a healthy cadence of > dealing with security issues, the only responsible decision for the PMC > (which is collectively responsible for the oversight of the project) would > be to initiate the move to the Attic [1]. Of course we hope this can be > prevented. > > As this message is going to the public mailinglist, please do not share > sensitive information in this thread. > > > Kind regards, > > The ASF Security Team > [0] > https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation > [1] https://attic.apache.org/ >
