Hi,

Some recent developments had me thinking on security, and especially vendor
risks. One of my starting points is then what is common in open source, as
this is often a source of high quality stuff (and ... other quality as
well). As such, I also came across the Security page we have in the Avro
doc/ folder.

Now the essence of that page is nice and clear: "Apache Avro project shares
the same security policy as the Apache Software Foundation"

This means reporting issues, etc. However, there is nothing on our
security model. I.e., what can users of our library expect, and what should
they do themselves?

To address this, I propose adding two headers and a few paragraphs,
resulting in something like:

*Security Policy*

Apache Avro project shares the same security policy as the Apache Software
Foundation.

*Security Model*

The Avro library implementations are designed to read and write any data
conforming
to a schema. Transport is outside the scope of the Avro library, so when
downstream
applications process sensitive data, it is their own responsibility to
ensure the
integrity and security of the data.

Although the Avro library will not read or write data except as directed to
by
invoking it, avoiding leaking data into a side channel like log files is a
non-goal
security-wise for Avro. This means, for example, that you will need to
catch and
handle exceptions instead of simply writing them to a log file.

Having said this, downstream applications can expect that Avro will not
read or
write data unless this is clear from the API, nor will we execute random
code.
Although schemas can define custom (implicit) conversions, and execute
foreign
code, this is always controllable by the downstream application.


What do you think can be improved? I'm quite new to this sort of
documentation, so any tips to improve this are most welcome!


Kind regards,
Oscar

-- 

✉️ Oscar Westra van Holthe - Kind <opw...@apache.org>🌐
https://github.com/opwvhk/

Reply via email to