[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356457#comment-14356457 ] Hudson commented on HBASE-7126: --- SUCCESS: Integrated in HBase-TRUNK #6239 (See [https://builds.apache.org/job/HBase-TRUNK/6239/]) HBASE-7126 Document how to report security bugs (mstanleyjones: rev d590f87ef410eff6770a71b416f13645615210ea) * src/main/asciidoc/_chapters/preface.adoc * src/main/asciidoc/_chapters/security.adoc Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Fix For: 2.0.0 Attachments: HBASE-7126-v1.patch, HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356314#comment-14356314 ] Sean Busbey commented on HBASE-7126: +1 LGTM Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126-v1.patch, HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356338#comment-14356338 ] Hadoop QA commented on HBASE-7126: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703823/HBASE-7126-v1.patch against master branch at commit 09e9c92d7699b985f45a48242a24af7c848926f0. ATTACHMENT ID: 12703823 {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+0 tests included{color}. The patch appears to be a documentation patch that doesn't require tests. {color:green}+1 hadoop versions{color}. The patch compiles with all supported hadoop versions (2.4.1 2.5.2 2.6.0) {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 checkstyle{color}. The applied patch does not increase the total number of checkstyle errors {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:red}-1 lineLengths{color}. The patch introduces the following lines longer than 100: +Please use link:https://issues.apache.org/jira/browse/hbase[JIRA] to report non-security-related bugs. +To protect existing HBase installations from new vulnerabilities, please *do not* use JIRA to report security-related bugs. Instead, send your report to the mailing list priv...@apache.org, which allows anyone to send messages, but restricts who can read them. Someone on that list will contact you to follow up on your report. +NOTE: To protect existing HBase installations from exploitation, please *do not* use JIRA to report security-related bugs. Instead, send your report to the mailing list priv...@apache.org, which allows anyone to send messages, but restricts who can read them. Someone on that list will contact you to follow up on your report. +HBase adheres to the Apache Software Foundation's policy on reported vulnerabilities, available at http://apache.org/security/. +If you wish to send an encrypted report, you can use the GPG details provided for the general ASF security list. This will likely increase the response time to your report. {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:red}-1 core tests{color}. The patch failed these unit tests: Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html Checkstyle Errors: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/checkstyle-aggregate.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/13172//console This message is automatically generated. Update website with info on how to report security bugs Key: HBASE-7126 URL:
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354271#comment-14354271 ] stack commented on HBASE-7126: -- +1 as a start [~misty] Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354277#comment-14354277 ] Misty Stanley-Jones commented on HBASE-7126: What else would you like to see, besides a start? :) Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354285#comment-14354285 ] Sean Busbey commented on HBASE-7126: a link to the ASF policy on reported vulnerabilities would be a nice addition (ref http://apache.org/security/), perhaps with a note that folks who wish to send an encrypted report can use the GPG details provided for the general ASF security list (with a warning that responses will take longer). Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14342637#comment-14342637 ] Hadoop QA commented on HBASE-7126: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12701748/HBASE-7126.patch against master branch at commit dad2474f08d201d09989e36f5cf1c25d3fa4acee. ATTACHMENT ID: 12701748 {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+0 tests included{color}. The patch appears to be a documentation patch that doesn't require tests. {color:green}+1 hadoop versions{color}. The patch compiles with all supported hadoop versions (2.4.1 2.5.2 2.6.0) {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 checkstyle{color}. The applied patch does not increase the total number of checkstyle errors {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:red}-1 lineLengths{color}. The patch introduces the following lines longer than 100: +Please use link:https://issues.apache.org/jira/browse/hbase[JIRA] to report non-security-related bugs. +To protect existing HBase installations from new vulnerabilities, please *do not* use JIRA to report security-related bugs. Instead, send your report to the mailing list priv...@apache.org, which allows anyone to send messages, but restricts who can read them. Someone on that list will contact you to follow up on your report. +NOTE: To protect existing HBase installations from new vulnerabilities, please *do not* use JIRA to report security-related bugs. Instead, send your report to the mailing list priv...@apache.org, which allows anyone to send messages, but restricts who can read them. Someone on that list will contact you to follow up on your report. {color:green}+1 site{color}. The mvn site goal succeeds with this patch. {color:red}-1 core tests{color}. The patch failed these unit tests: Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html Checkstyle Errors: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/checkstyle-aggregate.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/13023//console This message is automatically generated. Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14326381#comment-14326381 ] stack commented on HBASE-7126: -- private@hbase seems like a good place to start [~misty] Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14324876#comment-14324876 ] Misty Stanley-Jones commented on HBASE-7126: Has a decision been made? Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14190049#comment-14190049 ] Sean Busbey commented on HBASE-7126: More info in the [ASF ref|http://www.apache.org/security/committers.html]. secur...@apache.org will default to private@hbase for forwarding reports to them. That's fine if we want to stick to usign that for all reports, but we should document the preference. Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)