I think overall it is a great idea to slowly bring in more people into rotation. It should help with adding redundancy and help prevent burnout for the people who are doing it now.
I would propose perhaps a gradual introduction via a brief shadow period where a new member would monitor the happenings but not partake in decision making and once they are done with the shadow period they take on full responsibility. -- Regards, Aritra Basu On Mon, Dec 4, 2023, 6:20 PM Jarek Potiuk <[email protected]> wrote: > Hello everyone, > > *TL;DR; *I have a proposal of refinements we can apply to our security team > and I am looking for comments and feedback (PR is out there in [1]). In > short I am proposing that we introduce rotation of the security team > members, so that we can avoid burnout, give a chance to others to learn > about security and make security team membership effectively temporary - > which might help people with their decision to sign-up for a few months to > learn new skills and see how it works. > > *Context:* > > It's been quite a few months since we introduced the security team. see > that as a pretty successful change we implemented. I've given a talk [2] > about it together with Arnout from the ASF Security team. But we can always > improve and iterate on the idea and I think rotation is a good idea for the > team to continue doing a great job and to bring more people in the realm of > security. > > *Quick summary of where we : * > > * From > 20 issues in March, some of them > 150 days old, we are down to > literally reported 2 (!) issues not being addressed yet (few weeks old and > we target to close them in the upcoming 2.8.0) > > * We introduced and iterated on both our Security Model [3] and Security > Policy [4] - some of that is still to be released in 2.8.0 release > > * We have successful cooperation with Kei - the security researcher that > brought a wealth of great insights and we've learned a ton from him and how > to approach security handling. > > * Thanks to funding 4 of the PMC members got from Sovereign Tech Fund we > were able to also address a lot of potential (and real) threats in our > release and build process as well as improve it and harden it - and in the > near future also expose SBOM and better vulnerability exchange information > to Airflow users > > * As a new "ASF Security Committee" member - I already used experiences > from our team setup to help other projects to build their own > processes (somewhat competing with us "Apache Dolphin Scheduler"). > > *My personal view:* > > I think being part of the security team is a fantastic learning > opportunity. Security is becoming more and more important in Software > Development - we are at the verge of regulations that will change a lot > when it comes to approach to security issues, vulnerabilities, > vulnerability exchange, upgrading software and a lot more. > > This is an important experience and it's useful to have security-focus and > security experience/skills in the future software development industry - > both from technical skill level but also process-wise. > > The rumour is that the CRA (the Cyber Resilience Act) that is about to > regulate security approach for software development in Europe has just > completed the intra-EU-policymakers negotiation phase and it already took a > final shape. It looks like it is actually very pragmatic and good for the > Open Source community at large, as they seem to address literally all the > concerns we raised seeing some initial versions of those regulations). It > will still, however, mean that our processes have to be sound - and it also > seems that we in the ASF and Airflow particularly are well ahead of > everyone else and it's us who will be setting the "golden standards" or how > things should be done. > > There are very few people out there who could say they have "a real, proven > experience" with handling well established security processes in > Open-Source software, and I think it's good to have more people exposed to > it, and it's also good for the people to gain the experience (of course if > they are security-minded and they do not see it as "boring" - which many > people do). > > Looking forward to comments/feedback. Do you think it's a good idea in > general? > > J. > > [1] PR: "Add security team rotation proposal to our security team process" > https://github.com/apache/airflow/pull/36049 > [2] {Presentation: "Lessons Learned: Improving the security process of an > Apache project" > > https://docs.google.com/presentation/d/1EIw4_NHI34v-9KzRDqFi7TS8Pn-O3DgUmjuKqlbghZU/edit#slide=id.p > [3] Airflow Security Model > > https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html > [4] Airflow Security Policy > https://github.com/apache/airflow/security/policy > > J. >
