Howdy folks. I'd be happy to step into this working group. On Mon, May 1, 2023 at 12:34 PM Gus Heck <gus.h...@gmail.com> wrote:
> Awesome, glad to have you Jason, I in the end feel the same way about my > spot. Mostly I qualify as "concerned citizen", possibly with "who thought > about it some and has ideas" added. If we get more than 5 volunteers we can > start comparing credentials. > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <gerlowsk...@gmail.com> > wrote: > > > Hi Gus, > > > > I think this is a great idea. > > > > I don't have much security background that'd make me a particularly > > good fit, but absent someone with that background stepping up, I'm > > willing to volunteer for one of the spots. (I'd be more than happy to > > bow out if better qualified folks come along.) > > > > Best, > > > > Jason > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <dsmi...@apache.org> wrote: > > > > > > Pretty sleepy thread so far; apparently nobody else is interested in > > > talking about Solr security -- LOL ;-) > > > > > > ~ David Smiley > > > Apache Lucene/Solr Search Developer > > > http://www.linkedin.com/in/davidwsmiley > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gus.h...@gmail.com> wrote: > > > > > > > Thanks David. It would be great to have you if you can find time for > > it. As > > > > far as time commitment goes, I think it should become minimal after a > > while > > > > unless we have a flood of security reports to respond to. For a > little > > > > while after initial organization, I think the members will want to > put > > a > > > > bit of effort into hitting some of the goals I mentioned. > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <dsmi...@apache.org> > > wrote: > > > > > > > > > This is a thoughtful organization attempt and needed, I think. > > Thanks > > > > Gus! > > > > > > > > > > I want to see if I could get a security specialist/engineer where I > > work > > > > to > > > > > help us with this. I'm tempted to say I'm joining this thing but > I'm > > > > weary > > > > > of dedicating time per week. > > > > > > > > > > ~ David Smiley > > > > > Apache Lucene/Solr Search Developer > > > > > http://www.linkedin.com/in/davidwsmiley > > > > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gus.h...@gmail.com> > wrote: > > > > > > > > > > > *Rationale* > > > > > > > > > > > > Over the course of the last decade the way software security is > > viewed > > > > > has > > > > > > changed. Solr has changed significantly over this time too and we > > have > > > > > > gained some important security features and fixed a variety of > > > > > > vulnerabilities. However, I think as a project we have not really > > > > > developed > > > > > > a clear vision of what our security goals and use cases are. I > have > > > > > > witnessed a fair bit of variability in the responses to security > > > > related > > > > > > queries, and I think much of the variability comes from > conflation > > > > among > > > > > > "good practical advice", "somewhat dated advice" and "varying > > notions > > > > of > > > > > > supported use cases". We also regularly receive reports to the > > > > > > secur...@solr.apache.org address that involve investigations > into > > > > > systems > > > > > > that are not properly secured to begin with or configured to > > explicitly > > > > > > allow the dangerous behavior and it's a shame to see security > > > > researchers > > > > > > waste their time on that. Finally, the PMC and set of people > > subscribed > > > > > to > > > > > > secur...@solr.apache.org is a large enough group that incoming > > mails > > > > > often > > > > > > seem to languish in a classic example of nobody having actual > > specific > > > > > > responsibility for responding. > > > > > > > > > > > > *Proposal* > > > > > > The Solr PMC should appoint from among its members either 3 to 5 > > > > > > individuals to serve as a "security working group" Membership in > > the > > > > > > "Security Working Group" requires subscribing to > > > > > secur...@solr.apache.org, > > > > > > and a 30 minute conference call once or twice a month. This > working > > > > group > > > > > > would have the following goals. > > > > > > > > > > > > 1. Establish a relationship with someone who's core job > > function is > > > > > > computer security, rather than providing search (I'm hoping > the > > ASF > > > > > has > > > > > > some people who secure their systems that could be a > resource). > > This > > > > > > person > > > > > > should be willing to offer a systems security perspective on > our > > > > goals > > > > > > and > > > > > > the security functionality we provide. > > > > > > 2. Develop a clear statement of the security use cases we > would > > like > > > > > to > > > > > > support, and exposition of some scenarios that are clearly out > > of > > > > > scope. > > > > > > This results in a proposal to be discussed on the dev list and > > users > > > > > > list > > > > > > and eventually voted on. > > > > > > 3. Identification of use cases we would like to support that > > are not > > > > > yet > > > > > > supported, and publicize them to encourage these > contributions. > > > > > > 4. Review of documentation to ensure consistency with our > > current > > > > > state > > > > > > (security only, perhaps annually?). > > > > > > 5. Creation of a "security report checklist" that security > > > > researchers > > > > > > can self apply before they submit reports. > > > > > > 6. Form letters for consistent response to reports that > haven't > > > > passed > > > > > > the checklist. > > > > > > 7. Provide consistent and prompt responses to possible > > > > > > vulnerabilities reported to secur...@apache.org. Those > > subscribed > > > > to > > > > > > secur...@solr.apache.org who are not in the working group > > should > > > > > allow > > > > > > the working group time to respond before responding > themselves. > > > > > > 8. When asked, offer opinions on proposed new security > features > > > > > > regarding consistency with the goals (working group to > discuss, > > > > return > > > > > > with > > > > > > an opinion, always publically and just as a voice in the > > > > conversation, > > > > > > not > > > > > > as any sort of veto/control, decisions are still up to the > list > > of > > > > > > course). > > > > > > > > > > > > NON-GOAL: The group is not responsible for fixing security bugs > or > > > > adding > > > > > > security features. (nothing stopping them of course, just not the > > point > > > > > of > > > > > > the group, which is a goal setting and consistency oriented > group) > > > > > > > > > > > > *Volunteer* > > > > > > > > > > > > And to lower the barrier to things started, I volunteer to > > participate > > > > in > > > > > > this WG for at least a year, and spend up to 2h/week on it. I > don't > > > > think > > > > > > any members should be expected to dedicate more than that to it, > > and > > > > > > probably many weeks the time required should be less. > > > > > > > > > > > > *Feedback* > > > > > > > > > > > > Of course if you think this idea can be tweaked or improved, > speak > > up! > > > > > The > > > > > > whole reason this is mailed to the dev list is to get broad > > feedback so > > > > > > that we can implement the best improvements possible. > > > > > > > > > > > > -Gus > > > > > > > > > > > > > > > > > > > > > > > -- > > > > http://www.needhamsoftware.com (work) > > > > http://www.the111shift.com (play) > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > > For additional commands, e-mail: dev-h...@solr.apache.org > > > > > > -- > http://www.needhamsoftware.com (work) > http://www.the111shift.com (play) >
