Hi Mark, On Thu, 10 Oct 2024 at 11:00, Mark J. Cox <m...@apache.org> wrote: > Hi Chris! As Arnout wrote, we set up the public security-discuss list and > wiki to be such a working group to capture and share some best practices > among our projects. It was the follow-up from some of the good ideas > captured after the White House meetings following on from log4shell. Then, > anything that we want to make a requirement, rather than a recommended > practice, would feed back into the security committee to add into our > existing policies. I believe that's the right place for the things you're > suggesting. > > The list hasn't had a lot of traction, and many of the ideas and thoughts on > the wiki didn't get followed up on as it didn't get a lot of interest (mostly > lacking volunteers wanting to spend the time on it). So it would be great to > get some more feedback, input, and leadership from you there.
As you remarked the list doesn't have a lot of traction and I didn't see any of the subjects that were discussed there being pursued further. Last week, together with some members of the Logging PMC and Security Team, I had a video meeting with two security experts regarding the quality of our SBOMs (not very high) and how to improve it and then extend their usage in the ASF. I will share my conclusions about the meeting on `security-discuss@community` once I get around all the subjects that were discussed, but I found the overall experience of a (virtual) face-to-face meeting more productive that long discussions on `security-discuss@community`. Maybe we should have a regular Security Round Table help on a video conference platform. This would allow us: * to communicate with the Security Team more directly, * to think about security more regularly (there is a meeting, I need to prepare), * to have some short meeting notes that show us how fast (or slowly) security awareness in the ASF is growing. What do you think? Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
