[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356457#comment-14356457 ] Hudson commented on HBASE-7126: --- SUCCESS: Integrated in HBase-TRUNK #6239 (See [https://builds.apache.org/job/HBase-TRUNK/6239/]) HBASE-7126 Document how to report security bugs (mstanleyjones: rev d590f87ef410eff6770a71b416f13645615210ea) * src/main/asciidoc/_chapters/preface.adoc * src/main/asciidoc/_chapters/security.adoc Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Fix For: 2.0.0 Attachments: HBASE-7126-v1.patch, HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356314#comment-14356314 ] Sean Busbey commented on HBASE-7126: +1 LGTM Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126-v1.patch, HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[
https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356338#comment-14356338
]
Hadoop QA commented on HBASE-7126:
--
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12703823/HBASE-7126-v1.patch
against master branch at commit 09e9c92d7699b985f45a48242a24af7c848926f0.
ATTACHMENT ID: 12703823
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+0 tests included{color}. The patch appears to be a
documentation patch that doesn't require tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all
supported hadoop versions (2.4.1 2.5.2 2.6.0)
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the
total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines
longer than 100:
+Please use link:https://issues.apache.org/jira/browse/hbase[JIRA] to
report non-security-related bugs.
+To protect existing HBase installations from new vulnerabilities, please *do
not* use JIRA to report security-related bugs. Instead, send your report to the
mailing list priv...@apache.org, which allows anyone to send messages, but
restricts who can read them. Someone on that list will contact you to follow up
on your report.
+NOTE: To protect existing HBase installations from exploitation, please *do
not* use JIRA to report security-related bugs. Instead, send your report to the
mailing list priv...@apache.org, which allows anyone to send messages, but
restricts who can read them. Someone on that list will contact you to follow up
on your report.
+HBase adheres to the Apache Software Foundation's policy on reported
vulnerabilities, available at http://apache.org/security/.
+If you wish to send an encrypted report, you can use the GPG details provided
for the general ASF security list. This will likely increase the response time
to your report.
{color:red}-1 site{color}. The patch appears to cause mvn site goal to
fail.
{color:red}-1 core tests{color}. The patch failed these unit tests:
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//artifact/patchprocess/checkstyle-aggregate.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/13172//console
This message is automatically generated.
Update website with info on how to report security bugs
Key: HBASE-7126
URL:
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354271#comment-14354271 ] stack commented on HBASE-7126: -- +1 as a start [~misty] Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354277#comment-14354277 ] Misty Stanley-Jones commented on HBASE-7126: What else would you like to see, besides a start? :) Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354285#comment-14354285 ] Sean Busbey commented on HBASE-7126: a link to the ASF policy on reported vulnerabilities would be a nice addition (ref http://apache.org/security/), perhaps with a note that folks who wish to send an encrypted report can use the GPG details provided for the general ASF security list (with a warning that responses will take longer). Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Assignee: Misty Stanley-Jones Priority: Critical Labels: website Attachments: HBASE-7126.patch The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[
https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14342637#comment-14342637
]
Hadoop QA commented on HBASE-7126:
--
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12701748/HBASE-7126.patch
against master branch at commit dad2474f08d201d09989e36f5cf1c25d3fa4acee.
ATTACHMENT ID: 12701748
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+0 tests included{color}. The patch appears to be a
documentation patch that doesn't require tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all
supported hadoop versions (2.4.1 2.5.2 2.6.0)
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the
total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines
longer than 100:
+Please use link:https://issues.apache.org/jira/browse/hbase[JIRA] to
report non-security-related bugs.
+To protect existing HBase installations from new vulnerabilities, please *do
not* use JIRA to report security-related bugs. Instead, send your report to the
mailing list priv...@apache.org, which allows anyone to send messages, but
restricts who can read them. Someone on that list will contact you to follow up
on your report.
+NOTE: To protect existing HBase installations from new vulnerabilities, please
*do not* use JIRA to report security-related bugs. Instead, send your report to
the mailing list priv...@apache.org, which allows anyone to send messages, but
restricts who can read them. Someone on that list will contact you to follow up
on your report.
{color:green}+1 site{color}. The mvn site goal succeeds with this patch.
{color:red}-1 core tests{color}. The patch failed these unit tests:
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//artifact/patchprocess/checkstyle-aggregate.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/13023//console
This message is automatically generated.
Update website with info on how to report security bugs
Key: HBASE-7126
URL: https://issues.apache.org/jira/browse/HBASE-7126
Project: HBase
Issue Type: Task
Components: documentation
Reporter: Eli Collins
Assignee: Misty Stanley-Jones
Priority: Critical
Labels: website
Attachments: HBASE-7126.patch
The
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14326381#comment-14326381 ] stack commented on HBASE-7126: -- private@hbase seems like a good place to start [~misty] Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14324876#comment-14324876 ] Misty Stanley-Jones commented on HBASE-7126: Has a decision been made? Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-7126) Update website with info on how to report security bugs
[ https://issues.apache.org/jira/browse/HBASE-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14190049#comment-14190049 ] Sean Busbey commented on HBASE-7126: More info in the [ASF ref|http://www.apache.org/security/committers.html]. secur...@apache.org will default to private@hbase for forwarding reports to them. That's fine if we want to stick to usign that for all reports, but we should document the preference. Update website with info on how to report security bugs Key: HBASE-7126 URL: https://issues.apache.org/jira/browse/HBASE-7126 Project: HBase Issue Type: Task Components: documentation Reporter: Eli Collins Priority: Critical Labels: website The HBase website should be updated with information on how to report potential security vulnerabilities. In Hadoop land we have a private security list that anyone case post to that we point to on our list page: Hadoop example http://hadoop.apache.org/general_lists.html#Security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
