Hi all, I'd like to propose augmenting the KIP template with a "Security Implications" section. Similar to the recently-added "test plan" section, the purpose here is to draw explicit attention to the security impact of the changes in the KIP during the design and discussion phase. On top of that, it should provide a common framework for how to reason about security so that everyone from new contributors to seasoned committers/PMC members can use the same standards when evaluating the security implications of a proposal.
Here's the draft wording I've come up with so far for the template: How does this impact the security of the project? • Does it make Kafka or any of its components (brokers, clients, Kafka Connect, Kafka Streams, Mirror Maker 2, etc.) less secure when run with default settings? • Does it give users new access to configure clients, brokers, topics, etc. in situations where they did not have this access before? Keep in mind that the ability to arbitrarily configure a Kafka client can add to the attack surface of a project and may be safer to disable by default. • Does it make Kafka or any of its components more difficult to run in a fully-secured fashion? Let me know your thoughts. My tentative plan is to add this (with any modifications after discussion) to the KIP template after at least one week has elapsed, there has been approval from at least a couple seasoned contributors, and there are no unaddressed objections. Cheers, Chris
