Hello, in the context of CALCITE-6928 <https://issues.apache.org/jira/browse/CALCITE-6928> (sonar is broken in CI), I was checking our sonar configuration here <https://ci-builds.apache.org/job/Calcite/job/Calcite-sonar/configure>, there is a potential security risk with the current settings, I can't change the offending setting (lack of permissions), who can change settings there? Is it someone maybe from PMC or shall I create an INTRA ticket?
I don't want to provide more details publicly at this stage, until the issue has been discussed/resolved, for obvious reasons. Unlike other Apache projects we don't have a security ML, maybe we should look into creating one for cases like this? Best regards, Alessandro
