I’m not a Spark security expert, and adding some extra prose may indeed be helpful.
But I will note that that person’s reply to the ASF Security Team’s initial comment smells like LLM output. Perhaps I am being unfair to them, but I have read reports <https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/> that bug bounties are now getting flooded with credible-looking reports generated by AI that simply waste a lot of developer time to check. And if that’s the case, then unfortunately some extra prose in the Security guide is unlikely to help. > On Apr 7, 2025, at 9:59 AM, Arnout Engelen <enge...@apache.org> wrote: > > Hello dev@spark, > > Every now and then we get a 'security report' for Spark where the reporter is > shocked that 'spark', an 'engine for executing', allows users to execute > things. The latest in this category was > https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8. > > You already have a pretty great > https://spark.apache.org/docs/latest/security.html, but it might be good to > add a basic introduction to make explicit that users who are authorized to > execute can indeed execute code? I'm of course no Spark expert and you can > likely more clearly describe the security boundaries here. You could take > inspiration from https://flink.apache.org/what-is-flink/security/ or other > pages linked from https://security.apache.org/projects/ > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant
