Re: [DISCUSS] Expose or setup a security@flink.apache.org mailing list for security report and discussion

[Chesnay Schepler]

Turns out we already have a link to the Apache security page; in the 
Apache section at the very bottom of the sidebar.

If I open the page it is unfortunately not visible...there are too many 
things in the sidebar.

Nevertheless an additional entry as done in the PR cannot hurt. I'm 
taking a look at it right now.

On 04/12/2019 04:45, Dian Fu wrote:
Hi all,

Just sync the results of the vote for setup a mailing list security@f.a.o
that it has been rejected [1].

Another very important thing is that all the people agree that there should
be a guideline on how to report security issues in Flink website. Do you
think we should bring up a separate discussion/vote thread? If so, I will
do that. Personally I think that discussing on the PR is enough. What do
you think?

I have created a PR [2]. Appreciate if you can take a look at.

Regards,
Dian

[1]
http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/VOTE-Setup-a-security-flink-apache-org-mailing-list-tt35205.html
[2] https://github.com/apache/flink-web/pull/287

On Thu, Nov 21, 2019 at 3:58 PM Dian Fu <dian0511...@gmail.com> wrote:

Hi all,

There are no new feedbacks and it seems that we have received enough
feedback about setup a secur...@flink.apache.org mailing list[1] for
security report and discussion. It shows that it's optional as we can use
either secur...@flink.apache.org or secur...@apache.org. So I'd like to
start the vote for setup a secur...@flink.apache.org mailing list to make
the final decision.

Thanks,
Dian

在 2019年11月19日，下午6:06，Dian Fu <dian0511...@gmail.com> 写道：

Hi all,

Thanks for sharing your thoughts. Appreciated! Let me try to summarize the
information and thoughts received so far. Please feel free to let me know
if there is anything wrong or missing.

1. Setup project specific security mailing list
Pros:
- The security reports received by secur...@apache.org will be forwarded
to the project private(PMC) mailing list. Having a project specific
security mailing list is helpful in cases when the best person to address
the security issue is not a PMC member, but a committer. It makes things
simple as everyone(both PMCs and committers) is on the same table.
- Even though the security issues are usually rare, they could be
devastating and thus need to be treated seriously.
- Most notable apache projects such as apache common, hadoop, spark,
kafka, hive, etc have a security specific mailing list.

Cons:
- The ASF security mailing list secur...@apache.org could be used if
there is no project specific security mailing list.
- The number of security reports is very low.

Additional information:
- Security mailing list could only be subscribed by PMCs and committers.
However everyone could report security issues to the security mailing list.


2. Guide users to report the security issues
Why:
- Security vulnerabilities should not be publicly disclosed (e.g. via dev
ML or JIRA) until the project has responded. We should guide users on how
to report security issues in Flink website.

How:
- Option 1: Set up secur...@flink.apache.org and ask users to report
security issues there
- Option 2: Ask users to send security report to secur...@apache.org
- Option 3: Ask users to send security report directly to
priv...@flink.apache.org


3. Dedicated page to show the security vulnerabilities
- We may need a dedicated security page to describe the CVE list on the
Flink website.

I think it makes sense to open separate discussion thread on 2) and 3).
I'll create separate discussion thread for them. Let's focus on 1) in this
thread.

If there is no other feedback on 1), I'll bring up a VOTE for this
discussion.

What do you think?

Thanks,
Dian

On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <becket....@gmail.com> wrote:

Thanks for bringing this up, Dian.

+1 on creating a project specific security mailing list. My two cents, I
think it is worth doing in practice.

Although the ASF security ML is always available, usually all the emails
are simply routed to the individual project PMC. This is an additional
hop.
And in some cases, the best person to address the reported issue may not
be
a PMC member, but a committer, so the PMC have to again involve them into
the loop. This make things unnecessarily complicated. Having a project
specific security ML would make it much easier to have everyone at the
same
table.

Also, one thing to note is that even though the security issues are
usually
rare, they could be devastating, thus need to be treated seriously. So I
think it is a good idea to establish the handling mechanism regardless of
the frequency of the reported security vulnerabilities.

Thanks,

Jiangjie (Becket) Qin

On Fri, Nov 15, 2019 at 1:14 AM Yu Li <car...@gmail.com> wrote:

Thanks for bringing up this discussion Dian! How to report security
bugs to
our project is a very important topic!

Big +1 on adding some explicit instructions in our document about how to
report security issues, and I suggest to open another thread to vote the
reporting way in Flink.

FWIW, known options to report security issues include:
1. Set up secur...@flink.apache.org and ask users to report security
issues
there
2. Ask users to send security report to secur...@apache.org
3. Ask users to send security report directly to
priv...@flink.apache.org
More details:

Descriptions on http://apache.org/security/:
*============================================*

*We strongly encourage folks to report security vulnerabilities to one
of
our private security mailing lists first, before disclosing them in a
public forum.*

*A list of security contacts for Apache projects
<http://apache.org/security/projects.html> is available. If you can't
find
a project specific security e-mail address and you have an undisclosed
security vulnerability to report then please use the general security
address below.*


*The general security mailing list address is: secur...@apache.org
<secur...@apache.org>. This is a private mailing list.*
*============================================*

There are also projects directly using private@ mailing list to report
security issues such as HBase (as documented at the very beginning in
its
online ref-guide book here <http://hbase.apache.org/book.html#_preface
).

Hope these information helps. Thanks.

Best Regards,
Yu


On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ches...@apache.org>
wrote:
Source: https://www.apache.org/security/

Now, we can of course setup such a mailing list (as outlined here
https://www.apache.org/security/committers.html), but I'm not sure
if it
is necessary since the number of reports is _really_ low.

On 14/11/2019 11:03, Chesnay Schepler wrote:
AFAIK, the official way to report vulnerabilities in any apache
project is to write to secur...@apache.org and/or notify the
respective PMC. So far, we had several reports that went this route,
hence I'm not convinced that an additional ML is required.

I would be fine with an additional paragraph somewhere outlining
this
though.

On 14/11/2019 06:57, Jark Wu wrote:
Hi Dian,

Good idea and +1 to setup security mailing list.
Security vulnerabilities should not be publicly disclosed (e.g. via
dev ML
or JIRA) until the project has responded.
However, AFAIK, Flink doesn't have an official process to
report vulnerabilities.
It would be nice to have one to protect Flink users and response
security
problems quickly.

Btw, we may also need a dedicated page to describe the security
vulnerabilities report process and CVE list on the website.

Best,
Jark



On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com>
wrote:
Hi Dian,

Good idea! +1 to have a security mailing list.
It is nice for Flink to have an official procedure to handle
security
problems, e.g., reporting, addressing and publishing.

Best, Hequn

On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com>
wrote:
Thanks Dian Fu for this proposal. +1 for creating security mail
list. To
be
noticed, security mail list is private mail list, could not be
subscribed
publicly.
FYI, apache member can create mail list using this self service
tool
https://selfserve.apache.org/


jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四
下午12:25写道：

Hi Dian,

Thanks a lot for bringing up this discussion. This is very
important
for
Flink community!

I think setup a security mailing list for Flink is pretty nice
although `
secur...@apache.org` can be used and the report will be
forwarded
to
Flink
private mailing list if there is no project specific security
mailing
list. One thing that is pretty sure is that we should guide
users
on
how
to
report security issues in Flink website as security
vulnerabilities
should
not be entered into a project's public bug tracker directly
according
to
the guidance for how to handling the security vulnerabilities in
ASF
site[1].

Besides, we need also add a security page in Flink which shows
the
information about the security vulnerabilities per the guidance
of
the
security vulnerabilities in ASF site[2]. Projects such as
spark[3],
kafka[4], etc already have such a page.

Best,Jincheng

[1]
https://www.apache.org/security/committers.html#vulnerability-handling
[2]
https://www.apache.org/security/committers.html#publishing-information
[3] https://spark.apache.org/security.html
[4] https://kafka.apache.org/cve-list

Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道：

Hi all,

I'm reaching out to see if there is an existing security
specific
mailing
list in Flink. If there is, we should expose it in the offcial
web
site
of
Flink [1] to guide people to report security issues to this
mailing
list.
If it still doesn't exist, I'm here to propose to setup a
secur...@flink.apache.org mailing list for reporting and
discussion
of
security specific issues. Currently, most well known apache
projects
such
as apache common[2], hadoop[3], spark[4], kafka[5], hive[6],
etc
have a
security specific mailing list. It would be nice if there is
also
a
security specific mailing list for Flink.

Note that users should report security issues to the security
mailing
list.

Looking forward to your feedback!

Regards,
Dian

[1] https://flink.apache.org/community.html
[2] https://commons.apache.org/mail-lists.html
[3] https://hadoop.apache.org/mailing_lists.html
[4] https://spark.apache.org/community.html
[5] https://kafka.apache.org/project-security.html
[6] https://hive.apache.org/mailing_lists.html
--
Best Regards

Jeff Zhang