Hi all, Just sync the results of the vote for setup a mailing list [email protected] that it has been rejected [1].
Another very important thing is that all the people agree that there should be a guideline on how to report security issues in Flink website. Do you think we should bring up a separate discussion/vote thread? If so, I will do that. Personally I think that discussing on the PR is enough. What do you think? I have created a PR [2]. Appreciate if you can take a look at. Regards, Dian [1] http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/VOTE-Setup-a-security-flink-apache-org-mailing-list-tt35205.html [2] https://github.com/apache/flink-web/pull/287 On Thu, Nov 21, 2019 at 3:58 PM Dian Fu <[email protected]> wrote: > Hi all, > > There are no new feedbacks and it seems that we have received enough > feedback about setup a [email protected] mailing list[1] for > security report and discussion. It shows that it's optional as we can use > either [email protected] or [email protected]. So I'd like to > start the vote for setup a [email protected] mailing list to make > the final decision. > > Thanks, > Dian > > 在 2019年11月19日,下午6:06,Dian Fu <[email protected]> 写道: > > Hi all, > > Thanks for sharing your thoughts. Appreciated! Let me try to summarize the > information and thoughts received so far. Please feel free to let me know > if there is anything wrong or missing. > > 1. Setup project specific security mailing list > Pros: > - The security reports received by [email protected] will be forwarded > to the project private(PMC) mailing list. Having a project specific > security mailing list is helpful in cases when the best person to address > the security issue is not a PMC member, but a committer. It makes things > simple as everyone(both PMCs and committers) is on the same table. > - Even though the security issues are usually rare, they could be > devastating and thus need to be treated seriously. > - Most notable apache projects such as apache common, hadoop, spark, > kafka, hive, etc have a security specific mailing list. > > Cons: > - The ASF security mailing list [email protected] could be used if > there is no project specific security mailing list. > - The number of security reports is very low. > > Additional information: > - Security mailing list could only be subscribed by PMCs and committers. > However everyone could report security issues to the security mailing list. > > > 2. Guide users to report the security issues > Why: > - Security vulnerabilities should not be publicly disclosed (e.g. via dev > ML or JIRA) until the project has responded. We should guide users on how > to report security issues in Flink website. > > How: > - Option 1: Set up [email protected] and ask users to report > security issues there > - Option 2: Ask users to send security report to [email protected] > - Option 3: Ask users to send security report directly to > [email protected] > > > 3. Dedicated page to show the security vulnerabilities > - We may need a dedicated security page to describe the CVE list on the > Flink website. > > I think it makes sense to open separate discussion thread on 2) and 3). > I'll create separate discussion thread for them. Let's focus on 1) in this > thread. > > If there is no other feedback on 1), I'll bring up a VOTE for this > discussion. > > What do you think? > > Thanks, > Dian > > On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <[email protected]> wrote: > >> Thanks for bringing this up, Dian. >> >> +1 on creating a project specific security mailing list. My two cents, I >> think it is worth doing in practice. >> >> Although the ASF security ML is always available, usually all the emails >> are simply routed to the individual project PMC. This is an additional >> hop. >> And in some cases, the best person to address the reported issue may not >> be >> a PMC member, but a committer, so the PMC have to again involve them into >> the loop. This make things unnecessarily complicated. Having a project >> specific security ML would make it much easier to have everyone at the >> same >> table. >> >> Also, one thing to note is that even though the security issues are >> usually >> rare, they could be devastating, thus need to be treated seriously. So I >> think it is a good idea to establish the handling mechanism regardless of >> the frequency of the reported security vulnerabilities. >> >> Thanks, >> >> Jiangjie (Becket) Qin >> >> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <[email protected]> wrote: >> >> > Thanks for bringing up this discussion Dian! How to report security >> bugs to >> > our project is a very important topic! >> > >> > Big +1 on adding some explicit instructions in our document about how to >> > report security issues, and I suggest to open another thread to vote the >> > reporting way in Flink. >> > >> > FWIW, known options to report security issues include: >> > 1. Set up [email protected] and ask users to report security >> > issues >> > there >> > 2. Ask users to send security report to [email protected] >> > 3. Ask users to send security report directly to >> [email protected] >> > >> > More details: >> > >> > Descriptions on http://apache.org/security/: >> > *============================================* >> > >> > *We strongly encourage folks to report security vulnerabilities to one >> of >> > our private security mailing lists first, before disclosing them in a >> > public forum.* >> > >> > *A list of security contacts for Apache projects >> > <http://apache.org/security/projects.html> is available. If you can't >> find >> > a project specific security e-mail address and you have an undisclosed >> > security vulnerability to report then please use the general security >> > address below.* >> > >> > >> > *The general security mailing list address is: [email protected] >> > <[email protected]>. This is a private mailing list.* >> > *============================================* >> > >> > There are also projects directly using private@ mailing list to report >> > security issues such as HBase (as documented at the very beginning in >> its >> > online ref-guide book here <http://hbase.apache.org/book.html#_preface >> >). >> > >> > Hope these information helps. Thanks. >> > >> > Best Regards, >> > Yu >> > >> > >> > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[email protected]> >> wrote: >> > >> > > Source: https://www.apache.org/security/ >> > > >> > > Now, we can of course setup such a mailing list (as outlined here >> > > https://www.apache.org/security/committers.html), but I'm not sure >> if it >> > > is necessary since the number of reports is _really_ low. >> > > >> > > On 14/11/2019 11:03, Chesnay Schepler wrote: >> > > > AFAIK, the official way to report vulnerabilities in any apache >> > > > project is to write to [email protected] and/or notify the >> > > > respective PMC. So far, we had several reports that went this route, >> > > > hence I'm not convinced that an additional ML is required. >> > > > >> > > > I would be fine with an additional paragraph somewhere outlining >> this >> > > > though. >> > > > >> > > > On 14/11/2019 06:57, Jark Wu wrote: >> > > >> Hi Dian, >> > > >> >> > > >> Good idea and +1 to setup security mailing list. >> > > >> Security vulnerabilities should not be publicly disclosed (e.g. via >> > > >> dev ML >> > > >> or JIRA) until the project has responded. >> > > >> However, AFAIK, Flink doesn't have an official process to >> > > >> report vulnerabilities. >> > > >> It would be nice to have one to protect Flink users and response >> > > >> security >> > > >> problems quickly. >> > > >> >> > > >> Btw, we may also need a dedicated page to describe the security >> > > >> vulnerabilities report process and CVE list on the website. >> > > >> >> > > >> Best, >> > > >> Jark >> > > >> >> > > >> >> > > >> >> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[email protected]> >> > wrote: >> > > >> >> > > >>> Hi Dian, >> > > >>> >> > > >>> Good idea! +1 to have a security mailing list. >> > > >>> It is nice for Flink to have an official procedure to handle >> security >> > > >>> problems, e.g., reporting, addressing and publishing. >> > > >>> >> > > >>> Best, Hequn >> > > >>> >> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[email protected]> >> wrote: >> > > >>> >> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail >> > > >>>> list. To >> > > >>> be >> > > >>>> noticed, security mail list is private mail list, could not be >> > > >>>> subscribed >> > > >>>> publicly. >> > > >>>> FYI, apache member can create mail list using this self service >> tool >> > > >>>> https://selfserve.apache.org/ >> > > >>>> >> > > >>>> >> > > >>>> jincheng sun <[email protected]> 于2019年11月14日周四 >> > > >>>> 下午12:25写道: >> > > >>>> >> > > >>>>> Hi Dian, >> > > >>>>> >> > > >>>>> Thanks a lot for bringing up this discussion. This is very >> > important >> > > >>> for >> > > >>>>> Flink community! >> > > >>>>> >> > > >>>>> I think setup a security mailing list for Flink is pretty nice >> > > >>> although ` >> > > >>>>> [email protected]` can be used and the report will be >> forwarded >> > to >> > > >>>> Flink >> > > >>>>> private mailing list if there is no project specific security >> > mailing >> > > >>>>> list. One thing that is pretty sure is that we should guide >> users >> > on >> > > >>> how >> > > >>>> to >> > > >>>>> report security issues in Flink website as security >> vulnerabilities >> > > >>>> should >> > > >>>>> not be entered into a project's public bug tracker directly >> > according >> > > >>> to >> > > >>>>> the guidance for how to handling the security vulnerabilities in >> > ASF >> > > >>>>> site[1]. >> > > >>>>> >> > > >>>>> Besides, we need also add a security page in Flink which shows >> the >> > > >>>>> information about the security vulnerabilities per the guidance >> of >> > > >>>>> the >> > > >>>>> security vulnerabilities in ASF site[2]. Projects such as >> spark[3], >> > > >>>>> kafka[4], etc already have such a page. >> > > >>>>> >> > > >>>>> Best,Jincheng >> > > >>>>> >> > > >>>>> [1] >> > > >>>> >> > > >> https://www.apache.org/security/committers.html#vulnerability-handling >> > > >>>>> [2] >> > > >>>> >> > > >> https://www.apache.org/security/committers.html#publishing-information >> > > >>>>> [3] https://spark.apache.org/security.html >> > > >>>>> [4] https://kafka.apache.org/cve-list >> > > >>>>> >> > > >>>>> Dian Fu <[email protected]> 于2019年11月14日周四 下午12:12写道: >> > > >>>>> >> > > >>>>>> Hi all, >> > > >>>>>> >> > > >>>>>> I'm reaching out to see if there is an existing security >> specific >> > > >>>> mailing >> > > >>>>>> list in Flink. If there is, we should expose it in the offcial >> web >> > > >>> site >> > > >>>>> of >> > > >>>>>> Flink [1] to guide people to report security issues to this >> > mailing >> > > >>>> list. >> > > >>>>>> If it still doesn't exist, I'm here to propose to setup a >> > > >>>>>> [email protected] mailing list for reporting and >> > discussion >> > > >>> of >> > > >>>>>> security specific issues. Currently, most well known apache >> > projects >> > > >>>> such >> > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], >> etc >> > > >>> have a >> > > >>>>>> security specific mailing list. It would be nice if there is >> also >> > a >> > > >>>>>> security specific mailing list for Flink. >> > > >>>>>> >> > > >>>>>> Note that users should report security issues to the security >> > > >>>>>> mailing >> > > >>>>>> list. >> > > >>>>>> >> > > >>>>>> Looking forward to your feedback! >> > > >>>>>> >> > > >>>>>> Regards, >> > > >>>>>> Dian >> > > >>>>>> >> > > >>>>>> [1] https://flink.apache.org/community.html >> > > >>>>>> [2] https://commons.apache.org/mail-lists.html >> > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html >> > > >>>>>> [4] https://spark.apache.org/community.html >> > > >>>>>> [5] https://kafka.apache.org/project-security.html >> > > >>>>>> [6] https://hive.apache.org/mailing_lists.html >> > > >>>> >> > > >>>> -- >> > > >>>> Best Regards >> > > >>>> >> > > >>>> Jeff Zhang >> > > >>>> >> > > > >> > > > >> > > >> > > >> > >> > >
