potiuk opened a new pull request, #399: URL: https://github.com/apache/airflow-steward/pull/399
## Summary **Fifth and final PR of the security genericization series.** Lifts the remaining 4 docs in `docs/security/` to read config knobs from `projects/_template/project.md` and the contract docs from PR1-PR4 (`cve_authority.*`, `governance.*`, `security_inbox.*`, `forwarders.*`, `archive_system.*`, `scope_detection.*`). Plus a final scrub of 4 skills for leftover ASF/Vulnogram literals that survived earlier passes. **Byte-equivalent for the airflow-s adopter.** Every ASF/Airflow/ Vulnogram-specific value either resolves through a config knob whose ASF default matches today's behaviour, OR stays as one named-example aside in generic prose. ## Per-target lifts | Target | Lines | Highlights | |---|---|---| | `docs/security/threat-model.md` | +107/-77 | Purpose/Scope/Assumptions reframed; STRIDE rows A.6/A.7/C.1-C.4/E.1-E.2 lifted (Vulnogram → `<cve-tool>`; `[email protected]` → `<security-list>`; `DRAFT`/`REVIEW`/`READY`/`PUBLIC` → `cve_authority.states` sequence); mitigations M.10/M.16/M.18/M.19/M.27 + residual risks #3/#8/#10/#11 + re-audit cadence ownership generalised. | | `docs/security/forwarder-routing-policy.md` | +42/-27 | References the optional [`security-issue-import-via-forwarder`](https://github.com/apache/airflow-steward/blob/main/.claude/skills/security-issue-import-via-forwarder/SKILL.md) sub-skill (PR3 [#387](https://github.com/apache/airflow-steward/pull/387)) and the [`tools/forwarder-relay/README.md`](https://github.com/apache/airflow-steward/blob/main/tools/forwarder-relay/README.md) contract. `forwarders.enabled` / `forwarders.<adapter>.contact_handle` / `foundation_security_address` replace the inlined ASF-Security relay shape. | | `docs/security/how-to-fix-a-security-issue.md` | +20/-8 | "governance-authorised member of the adopting project (per `governance.cve_allocation_gate`)" replaces "PMC member of apache/airflow"; `<cve-tool>` + `cve_authority.*` replaces Vulnogram-specific URLs and state names. | | `docs/security/new-members-onboarding.md` | +26/-13 | Onboarding-style register preserved. "PMC members and committers" reframed as "governance body that satisfies `governance.cve_allocation_gate`"; per-user-config "PMC status" steps reference the governance knob. | | `security-issue-import`, `-via-forwarder`, `-invalidate`, `-fix` (scrub) | +17/-15 | Leftover literal references caught and lifted to `roster.bare_name_handles` / `governance.escalation_contact` / `forwarders.<adapter>.contact_handle`. | **Aggregate**: 8 files, **+240 / -156 lines**. ## The series, end-to-end | PR | Scope | Status | |---|---|---| | [#381](https://github.com/apache/airflow-steward/pull/381) | Schema + adapter contracts | merged | | [#386](https://github.com/apache/airflow-steward/pull/386) | Config-driven lifts of 6 skills | merged | | [#387](https://github.com/apache/airflow-steward/pull/387) | Forwarder-relay + mail-archive sub-tools | merged | | [#388](https://github.com/apache/airflow-steward/pull/388) | CVE-authority sub-tool extract | merged | | **(this)** | Docs lift + final scrub | this PR | After this PR merges, the security skill family is **generic by default**: - **For ASF projects** (like airflow-s, the reference adopter): the ASF defaults in `projects/_template/project.md` resolve every knob to today's behaviour. Vulnogram URLs, PMC-only allocation, `[email protected]` inbox, PonyMail archive, ASF-Security forwarder, `airflow | providers | chart` scope cascade — all unchanged at runtime. - **For non-ASF adopters**: override specific dimensions in `<project-config>/project.md` to plug in alternative CVE authorities (CVE.org direct submission, MITRE form, GHSA-only), mail providers (IMAP, Outlook, Discourse), archive systems (Hyperkitty, Discourse, Google Groups, GitHub Discussions), governance gates, scope axes, and roster sources. Adapter contracts in `tools/cve-tool/README.md`, `tools/mail-archive/README.md`, and `tools/forwarder-relay/README.md` describe the interface. ## Test plan - [x] `uv run --project tools/skill-and-tool-validator skill-and-tool-validate` clean (5 advisory soft warnings, none hard, all on files outside PR5 scope). - [x] `pytest` clean for the validator (218 tests). - [x] All pre-commit hooks pass. - [ ] Spot-read each rewritten doc on GitHub to confirm the airflow-s named-example asides land where they should and the generic prose reads cleanly. - [ ] Confirm the airflow-s adopter, with the ASF defaults unchanged, still gets the same security-flow behaviour as before (byte-equivalence invariant — the closing test for the series). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
