This is an automated email from the ASF dual-hosted git repository.
uranusjr pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 60536152b2 Add description on security issue handling in Airflow
(#31160)
60536152b2 is described below
commit 60536152b2466dcfab6a7323ae58beb0867caad1
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 11 09:21:40 2023 +0200
Add description on security issue handling in Airflow (#31160)
Co-authored-by: Pierre Jeambrun <[email protected]>
Co-authored-by: Pankaj Koti <[email protected]>
Co-authored-by: Vincent <[email protected]>
Co-authored-by: Kaxil Naik <[email protected]>
---
.github/SECURITY.rst | 69 ++++++++++++++++++++++++++++++++-
COMMITTERS.rst | 6 +++
dev/README_RELEASE_AIRFLOW.md | 15 +++++++
dev/README_RELEASE_HELM_CHART.md | 15 +++++++
dev/README_RELEASE_PROVIDER_PACKAGES.md | 15 +++++++
5 files changed, 119 insertions(+), 1 deletion(-)
diff --git a/.github/SECURITY.rst b/.github/SECURITY.rst
index d4f2863a8c..82341fc408 100644
--- a/.github/SECURITY.rst
+++ b/.github/SECURITY.rst
@@ -39,7 +39,7 @@ The Apache Software Foundation takes security issues very
seriously. Apache
Airflow specifically offers security features and is responsive to issues
around its features. If you have any concern around Airflow Security or believe
you have uncovered a vulnerability, we suggest that you get in touch via the
-e-mail address [email protected]. In the message, try to provide a
+e-mail address [email protected]. In the message, try to provide a
description of the issue and ideally a way of reproducing it. The security team
will get back to you after assessing the description.
@@ -52,3 +52,70 @@ before disclosing it publicly.
The `ASF Security team's page <https://www.apache.org/security/>`_ describes
how vulnerability reports are handled, and includes PGP keys if you wish to use
that.
+
+
+Handling security issues in Airflow
+-----------------------------------
+
+The security issues in Airflow are handled by the Airflow Security Team. The
team consists
+of selected PMC members that are interested in looking at, discussing about
and fixing the
+security issues, but it can also include committers and non-committer
contributors that are
+not PMC members yet and have been approved by the PMC members in a vote. You
can request to
+be added to the team by sending a message to [email protected].
However, the team
+should be small and focused on solving security issues, so the requests will
be evaluated
+on-case-by-case and the team size will be kept relatively small, limited to
only actively
+security-focused contributors.
+
+There are certain expectations from the members of the security team:
+
+* They are supposed to be active in assessing, discussing, fixing and
releasing the
+ security issues in Airflow. While it is perfectly understood that as
volunteers, we might have
+ periods of lower activity, prolonged lack of activity and participation will
result in removal
+ from the team, pending PMC decision (the decision on removal can be taken by
LAZY CONSENSUS among
+ all the PMC members on [email protected] mailing list).
+
+* They are not supposed to reveal the information about pending and unfixed
security issues to anyone
+ (including their employers) unless specifically authorised by the security
team members, specifically
+ if diagnosing and solving the issue might involve the need of external
experts - for example security
+ experts that are available through Airflow stakeholders. The intent about
involving 3rd parties has
+ to be discussed and agreed up at [email protected].
+
+* They have to have an `ICLA
<https://www.apache.org/licenses/contributor-agreements.html>`_ signed with
+ Apache Software Foundation.
+
+* The security team members might inform 3rd parties about fixes, for example
in order to assess if the fix
+ is solving the problem or in order to assess its applicability to be applied
by 3rd parties, as soon
+ as a PR solving the issue is opened in the public airflow repository.
+
+* In case of critical security issues, the members of the security team might
iterate on a fix in a
+ private repository and only open the PR in the public repository once the
fix is ready to be released,
+ with the intent of minimizing the time between the fix being available and
the fix being released. In this
+ case the PR might be sent to review and comment to the PMC members on
private list, in order to request
+ an expedited voting on the release. The voting for such release might be
done on the
+ ``[email protected]`` mailing list and should be made public at the
``[email protected]``
+ mailing list as soon as the release is ready to be announced.
+
+* The security team members working on the fix might be mentioned as
remediation developers in the CVE
+ including their job affiliation if they want to.
+
+* Community members acting as release managers are by default members of the
security team and unless they
+ want to, they do not have to be involved in discussing and solving the
issues. They are responsible for
+ releasing the CVE information (announcement and publishing to security
indexes) as part of the
+ release process. This is facilitated by the security tool provided by the
Apache Software Foundation.
+
+Releasing Airflow with security patches
+---------------------------------------
+
+Apache Airflow uses strict `SemVer <https://semver.org>`_ versioning policy,
which means that we strive for
+any release of a given ``MAJOR`` Version (version "2" currently) to be
backwards compatible. When we
+release ``MINOR`` version, the development continues in the ``main`` branch
where we prepare the next
+``MINOR`` version, but we release ``PATCHLEVEL`` releases with selected
bugfixes (including security
+bugfixes) cherry-picked to the latest released ``MINOR`` line of Apache
Airflow. At the moment, when we
+release a new ``MINOR`` version, we stop releasing ``PATCHLEVEL`` releases for
the previous ``MINOR`` version.
+
+For example, when we released ``2.6.0`` version on April 30, 2023, until we
release ``2.7.0`` version,
+all the security patches will be cherry-picked and released in ``2.6.*``
versions only. There will be no
+``2.5.*`` versions released after ``2.6.0`` has been released.
+
+This means that in order to apply security fixes with Apache Airflow software
released by us, you
+MUST upgrade to the latest ``MINOR`` version of Airflow.
diff --git a/COMMITTERS.rst b/COMMITTERS.rst
index d476ace8bf..bfc8894381 100644
--- a/COMMITTERS.rst
+++ b/COMMITTERS.rst
@@ -72,6 +72,10 @@ Code contribution
5. Has made a significant improvement or added an integration with
services/technologies important to the Airflow
Ecosystem
+6. Actively participated in the security process, as a member of security
team, discussing, assessing and
+ fixing security issues.
+
+
Community contributions
^^^^^^^^^^^^^^^^^^^^^^^^
@@ -144,6 +148,8 @@ Code contribution
* Code reviews
* Merging pull requests
* Fixing bugs and implementing improvements
+ * Actively participating in the security process and significantly
contributing to overall security of
+ Airflow
Only a current PMC member can nominate a current committer to be part of PMC.
diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md
index e248468f3b..107b07f603 100644
--- a/dev/README_RELEASE_AIRFLOW.md
+++ b/dev/README_RELEASE_AIRFLOW.md
@@ -42,6 +42,7 @@
- [Verify production images](#verify-production-images)
- [Publish documentation](#publish-documentation)
- [Notify developers of release](#notify-developers-of-release)
+ - [Send announcements about security issues fixed in the
release](#send-announcements-about-security-issues-fixed-in-the-release)
- [Add release data to Apache Committee Report
Helper](#add-release-data-to-apache-committee-report-helper)
- [Update Announcements page](#update-announcements-page)
- [Create release on GitHub](#create-release-on-github)
@@ -763,6 +764,20 @@ Send the same email to [email protected], except change
the opening line to `D
It is more reliable to send it via the web ui at
https://lists.apache.org/[email protected]
(press "c" to compose a new thread)
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues
fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE
management tool
+at https://cveprocess.apache.org/. Then the release manager should announced
the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag
'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the [email protected] is moderated, and the link to the email
thread will not be published
+immediately, that's why it is recommended to add the link to
[email protected] which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will
set the state to 'PUBLIC'.
+
## Add release data to Apache Committee Report Helper
Add the release data (version and date) at:
https://reporter.apache.org/addrelease.html?airflow
diff --git a/dev/README_RELEASE_HELM_CHART.md b/dev/README_RELEASE_HELM_CHART.md
index ada0ffa0d2..29a746c5e5 100644
--- a/dev/README_RELEASE_HELM_CHART.md
+++ b/dev/README_RELEASE_HELM_CHART.md
@@ -38,6 +38,7 @@
- [Publish release tag](#publish-release-tag)
- [Publish documentation](#publish-documentation)
- [Notify developers of release](#notify-developers-of-release)
+ - [Send announcements about security issues fixed in the
release](#send-announcements-about-security-issues-fixed-in-the-release)
- [Add release data to Apache Committee Report
Helper](#add-release-data-to-apache-committee-report-helper)
- [Update Announcements page](#update-announcements-page)
- [Create release on GitHub](#create-release-on-github)
@@ -689,6 +690,20 @@ Send the same email to [email protected], except change
the opening line to `D
It is more reliable to send it via the web ui at
https://lists.apache.org/[email protected]
(press "c" to compose a new thread)
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues
fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE
management tool
+at https://cveprocess.apache.org/. Then the release manager should announced
the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag
'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the [email protected] is moderated, and the link to the email
thread will not be published
+immediately, that's why it is recommended to add the link to
[email protected] which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will
set the state to 'PUBLIC'.
+
## Add release data to Apache Committee Report Helper
Add the release data (version and date) at:
https://reporter.apache.org/addrelease.html?airflow
diff --git a/dev/README_RELEASE_PROVIDER_PACKAGES.md
b/dev/README_RELEASE_PROVIDER_PACKAGES.md
index 98ebc39a82..45f44e40f7 100644
--- a/dev/README_RELEASE_PROVIDER_PACKAGES.md
+++ b/dev/README_RELEASE_PROVIDER_PACKAGES.md
@@ -45,6 +45,7 @@
- [Publish documentation prepared
before](#publish-documentation-prepared-before)
- [Add tags in git](#add-tags-in-git-1)
- [Notify developers of release](#notify-developers-of-release)
+ - [Send announcements about security issues fixed in the
release](#send-announcements-about-security-issues-fixed-in-the-release)
- [Announce about the release in social
media](#announce-about-the-release-in-social-media)
- [Add release data to Apache Committee Report
Helper](#add-release-data-to-apache-committee-report-helper)
- [Close the testing status issue](#close-the-testing-status-issue)
@@ -990,6 +991,20 @@ It is more reliable to send it via the web ui at
https://lists.apache.org/list.h
Note If you choose sending it with your email client make sure the email is
set to plain text mode.
Trying to send HTML content will result in failure.
+## Send announcements about security issues fixed in the release
+
+The release manager should review and mark as READY all the security issues
fixed in the release.
+Such issues are marked as affecting `< <JUST_RELEASED_VERSION>` in the CVE
management tool
+at https://cveprocess.apache.org/. Then the release manager should announced
the issues via the tool.
+
+Once announced, each of the issue should be linked with a 'reference' with tag
'vendor advisory' with the
+URL to the announcement published automatically by the CVE management tool.
+Note that the [email protected] is moderated, and the link to the email
thread will not be published
+immediately, that's why it is recommended to add the link to
[email protected] which takes usually
+few seconds to be published after the CVE tool sends them.
+
+The ASF Security will be notified and will submit to the CVE project and will
set the state to 'PUBLIC'.
+
## Announce about the release in social media
------------------------------------------------------------------------------------------------------------
