When a PMC does not have the skillset or bandwidth to deal with an issue, but is otherwise active, they can definitely ask for help ( https://cwiki.apache.org/confluence/display/SECURITY/Getting+help+handling+security+reports), and if they don't do so on their own we should encourage them. Ideally that help would come from their own community, and the project itself should still be involved to validate the work, as there'd typically be project-specific nuance that 'outside help' might miss. Also, the original contributors should probably be around for actually creating the release, since it seems especially for struggling projects the release processes are often rather bespoke and underdocumented.
If a project doesn't have the bandwidth anymore to take the initiative to find help, that means it is in bad shape. In some cases we've been asking the community for help on the PMC's behalf, but it's definitely a sign the project may be heading for the attic ( https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation). I like the idea of a project being able to go (or get sent) 'back to the incubator' as an intermediate step if there's hope they'll recover. I'm not a fan of the idea of a 'rescue team' that swoops in, fixes the security issue, and then disappears - without actual support from the project I don't see that working, and it'd be an excuse for the project not to have to get their act together. I could see putting together a list of 'people who you could ask for help', to make it easier for projects to find them, with the understanding that they'd ideally form a longer-term relationship with the project and get to know their nuances over time. Kind regards, Arnout On Thu, Oct 10, 2024 at 5:30 PM Mark Thomas <ma...@apache.org> wrote: > All, > > One of the discussions during the security table top exercise in Denver > was how to handle the situation where a project doesn't have the > skill-set necessary to respond to a security vulnerability report. > > Is this a reason to send the project to the attic? Or back to the > incubator to build a bigger community with the right skills? Or ... ? > > Or do we take another approach and try and find a mechanism to add > people to the project. Some sort of group of subject matter experts than > can be called upon? > > Thoughts? > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
