On Mon, Dec 20, 2021 at 1:35 AM Mark J Cox <[email protected]> wrote: > Mark is right; we've got several hundred projects and they all work > differently. Some have lots of resources, handle lots of issues, and have > mature and working processes for getting releases out. Others either handle > security issues infrequently or are struggling for resources and we need to > give them some help. The ASF security team provides and maintains the > common required process all projects need to follow to handle their > reported security issues, and we provide as much help and guidance as we > can on how they can get through them. (the yearly report gives a good > overview, here's the one for 2020: > > https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1 > ) >
Thanks :) I also enjoyed finding https://www.apache.org/security/projects.html as a nice list of the various Security project-teams. My assumption on the history is that initially the Security Team was HTTP Server focused (yourself, Bill? Ben?), and then as Tomcat grew the Tomcat Security work led to MarkT joining in. Are others of the projects with mature processes finding themselves getting more involved in the overall Security Team as a whole? I wonder if there are clumping strategies we could use; for example I imagine despite not being listed that the Tomcat Security team handle Commons FileUpload [assuming I'm not way out of date and it's still used]. > > Those projects that struggle for resources need help from more than what a > PSIRT-like team can provide; what they need are people in their project > able to write and test code, able to do releases, people that really > understand how the project is used and the community around it. > My initial instinct is that "sure, but that's just projects becoming inactive". Which I think is true, but I wonder if you're saying that inactive projects are one of our larger security-related issues? It's a hard one to fix, assuming it should be fixed. Personally I think there should be some kind of alert when a project moves to the Attic. Common Deprecation Event :) And possibly the 'investment' is in putting more energy into how to move off of the now mothballed project. What do we do when a security issue is reported in an Attic'd project? > > I'd also like to see us have people work more closely with the various > OpenSSF initiatives. OpenSSF have a number of interesting projects that > are trying to understand and address problems that have come up with OSS > many of which would benefit from people with security and specifically > Apache projects experience. > As in, if you had a volunteer today you would ask them to volunteer to the OpenSSF, or you'd like to connect some of the mature security-minded projects to the OpenSSF, or ... ? Hen
