Hi Sam, I think these points are excellent. Up to now, we have provided software for the public good without expecting anything in return, except to adhere to the license terms.
But using our software does involve responsibilities that you have outlined here. Good job. Craig > On Jan 7, 2022, at 3:06 PM, Sam Ruby <[email protected]> wrote: > > In producing the written materials for the upcoming Security Summit at the > White House, it was very helpful that we had plenty of documentation for our > processes and procedures on the Apache web site. We document what is > expected of contributors, project management committees, releases, responses > to security vulnerabilities, etc. All good. > > It occurs to me that we are missing an opportunity to document what is > expected of people downloading our releases, in particular our expectations > we have for redistributors. > > The list is small. An outline: > > * We REQUIRE redistributed versions of our code to comply with the > terms of our license > * We ENCOURAGE reviews of the code, in particular reviews of the code > in the context in which it is deployed (i.e., including other > components that this code may interact with) > * We REQUIRE any reports of security issues to follow the process we > have defined for such > * We EXPECT redistributors to keep current with respect to our > releases and actively push out fixes > > If these expectations are spelled out in a friendly way, and there are > prominent links to these expectations in strategic locations (e.g., download > pages), then perhaps we will see greater awareness of security > responsibilities. Whether or not it moves the needle is an open question, > but at a minimum could be helpful to point the press to the next time a > vulnerability is discovered. > > Thoughts? > > - Sam Ruby > Craig L Russell [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
