pjfanning opened a new issue, #3807: URL: https://github.com/apache/texera/issues/3807
As an Apache podling, it is only a matter of time before security researchers start analysing Texera. A lot of them go after easy pickings like outdated dependency versions in the hope of getting a CVE raised and then being able to advertise that they found a CVE. It would make life easier if you had a doc laying out what Texera is for and how people are expected to use it. Many security researchers take the absence of such documentation as an invitation to assume that people will deploy Texera in the most insecure way possible and allow anyone to drop files into the installation and that web services and UIs will be open to all and sundry on the public internet. I have experience with the ASF Security team and see the large number of daily issues reported across the ASF ecosystem - many important issues but lots of issues where common sense dictates the users of OSS software would be expected to take some care deploying and managing access to their installations. I would suggest that you write a doc that discourages users from using Texera unless they deploy it on a secure machine or private network. If you add features that allow users to deploy Texera and allow public internet access then you can treat those as exceptions where you describe how to do this securely. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
