gaborgsomogyi opened a new pull request, #854: URL: https://github.com/apache/flink-web/pull/854
The previous page had three problems: a stale CVE table that could not realistically be kept up-to-date, a vague security model that generated false vulnerability reports, and no coverage of the Kubernetes Operator which is the standard enterprise deployment path. What changed: - Restructured into two parallel sections - Apache Flink and Flink Kubernetes Operator - each with Trust Boundary, Security Boundary Reference, and Deployment Requirements subsections - Added Security Boundary Reference tables for both components so security researchers and enterprise teams can determine in/out of scope findings without contacting the PMC - Documented that SSL/TLS and authentication are disabled by default (previously implied but never stated) - Replaced FAQ format with direct statements CVE tracking: The inline CVE table is removed entirely. The project does not have the bandwidth actually to keep a hand-maintained list accurate, and a stale list gives users false confidence. Going forward, CVEs are tracked exclusively through OSV (https://osv.dev) and NVD (https://nvd.nist.gov) as authoritative external databases. If the PMC decides to adopt GitHub Security Advisories as an owned record in the future, a link can be added - but that requires a process decision first. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
