In producing the written materials for the upcoming Security Summit at
the White House, it was very helpful that we had plenty of documentation
for our processes and procedures on the Apache web site. We document
what is expected of contributors, project management committees,
releases, responses to security vulnerabilities, etc. All good.
It occurs to me that we are missing an opportunity to document what is
expected of people downloading our releases, in particular our
expectations we have for redistributors.
The list is small. An outline:
* We REQUIRE redistributed versions of our code to comply with the
terms of our license
* We ENCOURAGE reviews of the code, in particular reviews of the code
in the context in which it is deployed (i.e., including other
components that this code may interact with)
* We REQUIRE any reports of security issues to follow the process we
have defined for such
* We EXPECT redistributors to keep current with respect to our
releases and actively push out fixes
If these expectations are spelled out in a friendly way, and there are
prominent links to these expectations in strategic locations (e.g.,
download pages), then perhaps we will see greater awareness of security
responsibilities. Whether or not it moves the needle is an open
question, but at a minimum could be helpful to point the press to the
next time a vulnerability is discovered.
Thoughts?
- Sam Ruby
