Hi Dian, Thanks for driving the effort regardless.
Even if we don't setup a security@f.a.o ML for Flink, we probably should have a clear pointer to the ASF guideline and secur...@apache.org in the project website. I think many people are not aware of the secur...@apache.org address. If they failed to find information in the Flink site, they will simply assume there is no special procedure for security problems. Thanks, Jiangjie (Becket) Qin On Tue, Dec 3, 2019 at 4:54 PM Dian Fu <dian0511...@gmail.com> wrote: > Hi all, > > Thanks everyone for participating this vote. As we have received only two > +1 and there is also one -1 for this vote, according to the bylaws, I'm > sorry to announce that this proposal was rejected. > > Neverthless, I think we can always restart the discussion in the future if > we see more evidence that such a mailing list is necessary. > > Thanks, > Dian > > > > 在 2019年12月3日,下午4:53,Dian Fu <dian0511...@gmail.com> 写道: > > > > Actually I have tried to find out the reason why so many apache projects > choose to set up a project specific security mailing list in case that the > general secur...@apache.org mailing list seems working well. > Unfortunately, there is no open discussions in these projects and there is > also no clear guideline/standard in the ASF site whether a project should > set up such a mailing list (The project specific security mailing list > seems only an optional and we noticed that at the beginning of the > discussion). This is also one of the main reasons we start such a > discussion to see if somebody has more thoughts about this. > > > >> 在 2019年12月2日,下午6:03,Chesnay Schepler <ches...@apache.org> 写道: > >> > >> Would security@f.a.o work as any other private ML? > >> > >> Contrary to what Becket said in the discussion thread, > secur...@apache.org is not just "another hop"; it provides guiding > material, the security team checks for activity and can be pinged easily as > they are cc'd in the initial report. > >> > >> I vastly prefer this over a separate mailing list; if these benefits > don't apply to security@f.a.o I'm -1 on this. > >> > >> On 02/12/2019 02:28, Becket Qin wrote: > >>> Thanks for driving this, Dian. > >>> > >>> +1 from me, for the reasons I mentioned in the discussion thread. > >>> > >>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <dian0511...@gmail.com> > wrote: > >>> > >>>> NOTE: Only PMC votes is binding. > >>>> > >>>> Thanks for sharing your thoughts. I also think that this doesn't fall > into > >>>> any of the existing categories listed in the bylaws. Maybe we could > do some > >>>> improvements for the bylaws. > >>>> > >>>> This is not codebase change as Robert mentioned and it's related to > how to > >>>> manage Flink's development in a good way. So, I agree with Robert and > >>>> Jincheng that this VOTE should only count PMC votes for now. > >>>> > >>>> Thanks, > >>>> Dian > >>>> > >>>>> 在 2019年11月26日,上午11:43,jincheng sun <sunjincheng...@gmail.com> 写道: > >>>>> > >>>>> I also think that we should only count PMC votes. > >>>>> > >>>>> This ML is to improve the security mechanism for Flink. Of course we > >>>> don't > >>>>> expect to use this > >>>>> ML often. I hope that it's perfect if this ML is never used. > However, the > >>>>> Flink community is growing rapidly, it's better to > >>>>> make our security mechanism as convenient as possible. But I agree > that > >>>>> this ML is not a must to have, it's nice to have. > >>>>> > >>>>> So, I give the vote as +1(binding). > >>>>> > >>>>> Best, > >>>>> Jincheng > >>>>> > >>>>> Robert Metzger <rmetz...@apache.org> 于2019年11月25日周一 下午9:45写道: > >>>>> > >>>>>> I agree that we are only counting PMC votes (because this decision > goes > >>>>>> beyond the codebase) > >>>>>> > >>>>>> I'm undecided what to vote :) I'm not against setting up a new > mailing > >>>>>> list, but I also don't think the benefit (having a private list with > >>>> PMC + > >>>>>> committers) is enough to justify the work involved. As far as I > >>>> remember, > >>>>>> we have received 2 security issue notices, both basically about the > same > >>>>>> issue. I'll leave it to other PMC members to support this if they > want > >>>> to > >>>>>> ... > >>>>>> > >>>>>> > >>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz < > >>>> dwysakow...@apache.org> > >>>>>> wrote: > >>>>>> > >>>>>>> Hi all, > >>>>>>> > >>>>>>> What is the voting scheme for it? I am not sure if it falls into > any of > >>>>>>> the categories we have listed in our bylaws. Are committers votes > >>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is > this > >>>> a > >>>>>>> binding vote or just an informational vote? > >>>>>>> > >>>>>>> Best, > >>>>>>> > >>>>>>> Dawid > >>>>>>> > >>>>>>> On 25/11/2019 07:34, jincheng sun wrote: > >>>>>>>> +1 > >>>>>>>> > >>>>>>>> Dian Fu <dian0511...@gmail.com> 于2019年11月21日周四 下午4:11写道: > >>>>>>>> > >>>>>>>>> Hi all, > >>>>>>>>> > >>>>>>>>> According to our previous discussion in [1], I'd like to bring > up a > >>>>>> vote > >>>>>>>>> to set up a secur...@flink.apache.org mailing list. > >>>>>>>>> > >>>>>>>>> The vote will be open for at least 72 hours (excluding weekend). > I'll > >>>>>>> try > >>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an > objection or > >>>>>> not > >>>>>>>>> enough votes. > >>>>>>>>> > >>>>>>>>> Regards, > >>>>>>>>> Dian > >>>>>>>>> > >>>>>>>>> [1] > >>>>>>>>> > >>>> > http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951 > >>>>>>> > >>>> > >> > > > >
