I did a quick survey, and it seems that most projects do not have a security team[1], which means that vulnerabilities should be reported to [email protected]. Of the projects that do, Kafka seems a good model to follow; its security page is simple and clear[2].
Julian [1] http://www.apache.org/security/projects.html <http://www.apache.org/security/projects.html> [2] http://kafka.apache.org/project-security.html <http://kafka.apache.org/project-security.html> > On Aug 23, 2016, at 6:29 PM, P. Taylor Goetz <[email protected]> wrote: > > > The maturity model assessment looks good to me, though I haven't delved deep > into it. > > Regarding security issues, since Eagle is a security-related product I would > expect there to be a well-defined process/protocol that ensured vulnerability > reports were kept private until patched, CVE process, etc. Eagle hasn't had > any major security issues during incubation, but should be prepared for them > after graduation. > > Here [1] [2] are two great resources for understanding what is expected from > an ASF standpoint. > > -Taylor > > [1] http://www.apache.org/security/ > [2] http://www.apache.org/security/committers.html > >> On Aug 23, 2016, at 6:52 PM, Julian Hyde <[email protected]> wrote: >> >> I reviewed >> https://cwiki.apache.org/confluence/display/EAG/Eagle+Podling+Maturity+Assessment >> >> <https://cwiki.apache.org/confluence/display/EAG/Eagle+Podling+Maturity+Assessment> >> and it looks good. >> >> Only one issue. Regarding QU30: The dev list and JIRA (listed in >> http://eagle.incubator.apache.org/sup/index.html >> <http://eagle.incubator.apache.org/sup/index.html>) do not seem appropriate >> places to report security issues, because they are public. Is a private >> channel needed? >> >> Can some other mentors please review? >> >> I think the consensus is emerging that Eagle is ready to graduate. The >> community should start taking steps to graduate, including agreeing bylaws >> (or deciding that bylaws are not necessary), choosing an initial PMC chair, >> crafting the resolution for the Board, and starting a vote thread. >> >> Julian >> >> >> >>> On Jul 31, 2016, at 9:05 PM, Edward Zhang <[email protected]> wrote: >>> >>> I have commented some assessment points and we can remove that once after >>> they are reviewed. >>> >>> Thanks >>> Edward >>> >>>> On Sun, Jul 31, 2016 at 7:09 PM, Hao Chen <[email protected]> wrote: >>>> >>>> Thanks Michael for preparing the "Eagle Podling Maturity Assessment". >>>> >>>> Eagle community, >>>> >>>> could you (in particular Mentors & PPMC) please help review and comment? >>>> >>>> - Hao >>>> >>>>> On Fri, Jul 29, 2016 at 4:36 PM, Michael Wu <[email protected]> wrote: >>>>> >>>>> Hi guys, >>>>> >>>>> Following the model Julian cited, we created a wiki page for >>>>> self-assessment at: >>>>> >>>>> >>>> https://cwiki.apache.org/confluence/display/EAG/Eagle+Podling+Maturity+Assessment >>>>> . >>>>> Please take a look at it and make your valuable judgement and >>>> instructions. >>>>> >>>>> Overall, according to the aspects that the model values and inspects, and >>>>> traverse the results listed in the wiki page, personally, I think Eagle >>>> is >>>>> approaching the point of graduation, and is facing the right way towards >>>>> it. (please correct me if i'm wrong, thanks) >>>>> >>>>> In this assessment wiki page, status "OK" stands for the all resolved >>>>> items, status "ON GOING" stands for 2 items that we're striving to work >>>> on >>>>> and will update. Additionally, there is 1 item marked as "NOT APPLY" >>>>> because the "convenient binaries" model seems not fitting for eagle, >>>> could >>>>> you please verify if it's true and rule RE40 >>>>> < >>>>> >>>> https://cwiki.apache.org/confluence/display/EAG/Eagle+Podling+Maturity+Assessment#EaglePodlingMaturityAssessment-RE40 >>>>>> >>>>> could be skipped? >>>>> >>>>> Any comment and instruction will be appreciated, as all we made or will >>>>> make is to keep the project running in the right way. :) >>>>> >>>>> Michael >>>>> >>>>>> On Fri, Jul 29, 2016 at 12:28 PM, Hao Chen <[email protected]> wrote: >>>>>> >>>>>> Thanks very much for bringing up graduation discussion for Eagle. >>>>>> >>>>>> Eagle community has almost fully understand how to run an open source >>>>>> project in apache way. Apache Eagle (incubating) is now open to be >>>>>> contributed and adopted by lots of different organizations including >>>> but >>>>>> not limited to eBay, Paypal, Dataguides, Yihaodian, etc. The community >>>>> has >>>>>> continuously been building and expanding itself by sharing and talking >>>>>> eagle with the word industry in international conferences like Hadoop >>>>>> Summit, Hadoop Stratus, QCon in San Jose, London, Dublin, Shanghai, >>>>>> Beijing, etc. and also lots of meetups. And the community has >>>>> successfully >>>>>> release v0.3.0, v0.4.0 and is actively preparing v0.5.0 following >>>> apache >>>>>> releasing process. >>>>>> >>>>>> To make it clear how close is eagle ready to graduate, right now the >>>>>> community is working on preparing an "Eagle Podling Maturity >>>> Assessment" >>>>> to >>>>>> measure how mature eagle is and what tasks may remain before >>>> graduation, >>>>>> will be sent out very soon. >>>>>> >>>>>> - Hao >>>>>> >>>>>> On Fri, Jul 29, 2016 at 11:25 AM, P. Taylor Goetz <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Graduation is mostly about whether a podling is healthy in terms of >>>>>>> growing the community and making releases. I don't think technical >>>>> issues >>>>>>> are relevant here. >>>>>>> >>>>>>> -Taylor >>>>>>> >>>>>>>> On Jul 28, 2016, at 8:12 PM, Tang Jijun(上海_技术部_架构部_大数据平台_唐觊隽) < >>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> I don't think eagle is ready to graduate. >>>>>>>> Because >>>>>>>> 1 Code is not stable. >>>>>>>> 2 Project need more unit test. >>>>>>>> >>>>>>>> Best Wishes >>>>>>>> >>>>>>>> 唐觊隽 >>>>>>>> Jr. Engineer , Architecture - Fundation, Tech Dept >>>>>>>> Floor 4, 295 ZUCHONGZHI RD, Zhangjiang, Shanghai (201203) >>>>>>>> >>>>>>>> -----邮件原件----- >>>>>>>> 发件人: Edward Zhang [mailto:[email protected]] >>>>>>>> 发送时间: 2016年7月29日 5:19 >>>>>>>> 收件人: [email protected] >>>>>>>> 主题: Re: [DISCUSS] Is Eagle ready to graduate? >>>>>>>> >>>>>>>> Yes, we should discuss that on the list, and will go through >>>> maturity >>>>>>> model first soon. >>>>>>>> >>>>>>>> Thanks >>>>>>>> Edward >>>>>>>> >>>>>>>>> On Thu, Jul 28, 2016 at 2:15 PM, Julian Hyde <[email protected]> >>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> … also want to discuss this with other contributors. >>>>>>>>> >>>>>>>>> Why not discuss with them on this list? >>>>>>>>> >>>>>>>>> Julian >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>
