Hi Dian, Good idea! +1 to have a security mailing list. It is nice for Flink to have an official procedure to handle security problems, e.g., reporting, addressing and publishing.
Best, Hequn On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> wrote: > Thanks Dian Fu for this proposal. +1 for creating security mail list. To be > noticed, security mail list is private mail list, could not be subscribed > publicly. > FYI, apache member can create mail list using this self service tool > https://selfserve.apache.org/ > > > jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 下午12:25写道: > > > Hi Dian, > > > > Thanks a lot for bringing up this discussion. This is very important for > > Flink community! > > > > I think setup a security mailing list for Flink is pretty nice although ` > > secur...@apache.org` can be used and the report will be forwarded to > Flink > > private mailing list if there is no project specific security mailing > > list. One thing that is pretty sure is that we should guide users on how > to > > report security issues in Flink website as security vulnerabilities > should > > not be entered into a project's public bug tracker directly according to > > the guidance for how to handling the security vulnerabilities in ASF > > site[1]. > > > > Besides, we need also add a security page in Flink which shows the > > information about the security vulnerabilities per the guidance of the > > security vulnerabilities in ASF site[2]. Projects such as spark[3], > > kafka[4], etc already have such a page. > > > > Best,Jincheng > > > > [1] > https://www.apache.org/security/committers.html#vulnerability-handling > > [2] > https://www.apache.org/security/committers.html#publishing-information > > [3] https://spark.apache.org/security.html > > [4] https://kafka.apache.org/cve-list > > > > Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > > > > > Hi all, > > > > > > I'm reaching out to see if there is an existing security specific > mailing > > > list in Flink. If there is, we should expose it in the offcial web site > > of > > > Flink [1] to guide people to report security issues to this mailing > list. > > > If it still doesn't exist, I'm here to propose to setup a > > > secur...@flink.apache.org mailing list for reporting and discussion of > > > security specific issues. Currently, most well known apache projects > such > > > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc have a > > > security specific mailing list. It would be nice if there is also a > > > security specific mailing list for Flink. > > > > > > Note that users should report security issues to the security mailing > > > list. > > > > > > Looking forward to your feedback! > > > > > > Regards, > > > Dian > > > > > > [1] https://flink.apache.org/community.html > > > [2] https://commons.apache.org/mail-lists.html > > > [3] https://hadoop.apache.org/mailing_lists.html > > > [4] https://spark.apache.org/community.html > > > [5] https://kafka.apache.org/project-security.html > > > [6] https://hive.apache.org/mailing_lists.html > > > > > -- > Best Regards > > Jeff Zhang >
