Dear Zeppelin users and developers,
As you know, the Apache Software Foundation takes our users' security
seriously, and defines sensible release and security processes to make sure
potential security issues are dealt with responsibly. These indirectly also
protect our committers, shielding individuals from personal liability. Some
of this process is necessarily done in private; as we practice responsible
disclosure.
We are seeing potential security issues are reported privately to the
Zeppelin PMC, but the PMC currently does not appear to have the bandwidth
to triage (and, if necessary, fix and disclose) them.
On behalf of the PMC: would anyone be interested in helping out here? If
so, please contact priv...@zeppelin.apache.org with secur...@apache.org in
Cc.
If you’re using this project in a professional capacity, now would be a
good time to campaign to allocate time to participate to keep the project
healthy. This is the first step of our more formal security escalation
process[0]. If the Zeppelin project cannot return to a healthy cadence of
dealing with security issues, the only responsible decision for the PMC
(which is collectively responsible for the oversight of the project) would
be to initiate the move to the Attic [1]. Of course we hope this can be
prevented.
As this message is going to the public mailinglist, please do not share
sensitive information in this thread.
Kind regards,
The ASF Security Team
[0]
https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation
[1] https://attic.apache.org/
