I’m not a Spark security expert, and adding some extra prose may indeed be 
helpful.

But I will note that that person’s reply to the ASF Security Team’s initial 
comment smells like LLM output. Perhaps I am being unfair to them, but I have 
read reports 
<https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/> 
that bug bounties are now getting flooded with credible-looking reports 
generated by AI that simply waste a lot of developer time to check. 

And if that’s the case, then unfortunately some extra prose in the Security 
guide is unlikely to help.


> On Apr 7, 2025, at 9:59 AM, Arnout Engelen <enge...@apache.org> wrote:
> 
> Hello dev@spark,
> 
> Every now and then we get a 'security report' for Spark where the reporter is 
> shocked that 'spark', an 'engine for executing', allows users to execute 
> things. The latest in this category was 
> https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8.
> 
> You already have a pretty great 
> https://spark.apache.org/docs/latest/security.html, but it might be good to 
> add a basic introduction to make explicit that users who are authorized to 
> execute can indeed execute code? I'm of course no Spark expert and you can 
> likely more clearly describe the security boundaries here. You could take 
> inspiration from https://flink.apache.org/what-is-flink/security/ or other 
> pages linked from https://security.apache.org/projects/
> 
> 
> Kind regards,
> 
> --
> Arnout Engelen
> ASF Security Response
> Apache Pekko PMC member, ASF Member
> NixOS Committer
> Independent Open Source consultant

Reply via email to