Hi Dian, Good idea and +1 to setup security mailing list. Security vulnerabilities should not be publicly disclosed (e.g. via dev ML or JIRA) until the project has responded. However, AFAIK, Flink doesn't have an official process to report vulnerabilities. It would be nice to have one to protect Flink users and response security problems quickly.
Btw, we may also need a dedicated page to describe the security vulnerabilities report process and CVE list on the website. Best, Jark On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com> wrote: > Hi Dian, > > Good idea! +1 to have a security mailing list. > It is nice for Flink to have an official procedure to handle security > problems, e.g., reporting, addressing and publishing. > > Best, Hequn > > On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> wrote: > > > Thanks Dian Fu for this proposal. +1 for creating security mail list. To > be > > noticed, security mail list is private mail list, could not be subscribed > > publicly. > > FYI, apache member can create mail list using this self service tool > > https://selfserve.apache.org/ > > > > > > jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 下午12:25写道: > > > > > Hi Dian, > > > > > > Thanks a lot for bringing up this discussion. This is very important > for > > > Flink community! > > > > > > I think setup a security mailing list for Flink is pretty nice > although ` > > > secur...@apache.org` can be used and the report will be forwarded to > > Flink > > > private mailing list if there is no project specific security mailing > > > list. One thing that is pretty sure is that we should guide users on > how > > to > > > report security issues in Flink website as security vulnerabilities > > should > > > not be entered into a project's public bug tracker directly according > to > > > the guidance for how to handling the security vulnerabilities in ASF > > > site[1]. > > > > > > Besides, we need also add a security page in Flink which shows the > > > information about the security vulnerabilities per the guidance of the > > > security vulnerabilities in ASF site[2]. Projects such as spark[3], > > > kafka[4], etc already have such a page. > > > > > > Best,Jincheng > > > > > > [1] > > https://www.apache.org/security/committers.html#vulnerability-handling > > > [2] > > https://www.apache.org/security/committers.html#publishing-information > > > [3] https://spark.apache.org/security.html > > > [4] https://kafka.apache.org/cve-list > > > > > > Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > > > > > > > Hi all, > > > > > > > > I'm reaching out to see if there is an existing security specific > > mailing > > > > list in Flink. If there is, we should expose it in the offcial web > site > > > of > > > > Flink [1] to guide people to report security issues to this mailing > > list. > > > > If it still doesn't exist, I'm here to propose to setup a > > > > secur...@flink.apache.org mailing list for reporting and discussion > of > > > > security specific issues. Currently, most well known apache projects > > such > > > > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc > have a > > > > security specific mailing list. It would be nice if there is also a > > > > security specific mailing list for Flink. > > > > > > > > Note that users should report security issues to the security mailing > > > > list. > > > > > > > > Looking forward to your feedback! > > > > > > > > Regards, > > > > Dian > > > > > > > > [1] https://flink.apache.org/community.html > > > > [2] https://commons.apache.org/mail-lists.html > > > > [3] https://hadoop.apache.org/mailing_lists.html > > > > [4] https://spark.apache.org/community.html > > > > [5] https://kafka.apache.org/project-security.html > > > > [6] https://hive.apache.org/mailing_lists.html > > > > > > > > > -- > > Best Regards > > > > Jeff Zhang > > >
