The private@ is a moderated list. This has two issues: a moderator needs to approve any message not sent by a PMC member. This will slow down the process of interaction with the reporter. It would also not reach the YuniKorn committers group as not all committers are part of the PMC. Security issues should be handled and worked on by all committers not just by the PMC members.
The security notification update made to the website I think does not line up with the security guidelines referenced in the link provided in the dropdown menu of the YuniKorn site [1]. In that link there is a well defined way to report security issues. If we need to enhance and extend what we do we either establish a security@ mailing list and provide a static page with security related information on our site or we leave it as is. My preference would be to establish a security@ list and make all committers a member of that list. I think we need to roll back the website changes part of YUNIKORN-1006 [2] in PR [3] for the website. Wilfred [1] https://www.apache.org/security/ [2] https://issues.apache.org/jira/browse/YUNIKORN-1006 [3] https://github.com/apache/incubator-yunikorn-site/pull/105 On Tue, 11 Jan 2022 at 04:45, Holden Karau <hol...@pigscanfly.ca> wrote: > > For "The project provides a well-documented, secure and private channel to > report security issues, along with a documented way of responding to them.' > the standard that I've seen used is to tell people to e-mail private@ when > they think they might have a security related issue. I think that would > probably work well for Yunikorn too. > > > On Mon, Jan 10, 2022 at 7:04 AM Chenya Zhang <chenyazhangche...@gmail.com> > wrote: >> >> Hi Weiwei, >> >> Thanks for driving this! The evaluation is quite comprehensive overall. I >> checked our Apache project maturity guidelines and noticed the below three >> items. Not sure if we already have them but they are not blockers to our >> graduation. We could think more about them along the way. >> >> QU30 >> >> The project provides a well-documented, secure and private channel to report >> security issues, along with a documented way of responding to them. >> >> QU40 >> >> The project puts a high priority on backwards compatibility and aims to >> document any incompatible changes and provide tools and documentation to >> help users transition to new features. >> >> CO50 >> >> The project documents how contributors can earn more rights such as commit >> access or decision power, and applies these principles consistently. >> >> >> Thanks, >> >> Chenya >> >> >> >> On Mon, Jan 10, 2022 at 12:00 AM Weiwei Yang <w...@apache.org> wrote: >>> >>> Hi YuniKorn community and mentors >>> >>> Based on the discussion thread [1], after 2 years time of incubating, it is >>> considered that now is a good time to graduate YuniKorn from the ASF >>> incubator and become a top-level Apache project. We have reviewed the ASF >>> project maturity model [2] and provided some assessment of the project's >>> maturity based on the guidelines. Details are included as the following. >>> Please read this and share your thoughts by replying to this email, your >>> feedback will be much appreciated!!! >>> >>> *Code, License, and Copyright* >>> >>> All code is maintained on github, under Apache 2.0 license. We have >>> reviewed all the dependencies and ensured they do not bring any license >>> issues. All the status files, license headers, and copyright are up to date. >>> >>> *Release* >>> >>> The community has released 5 releases in the past 2 years, i.e v0.8, v0.9, >>> v0.10, v0,11, and v0.12. These releases were done by 5 different release >>> managers [3] and indicate the community can create releases independently. >>> We have also a well-documented release process, automated tools to help new >>> release managers with the process. >>> >>> *Quality* >>> >>> The community has developed a comprehensive CI/CD pipeline as a guard of >>> the code quality. The pipeline runs per-commit license check, code-format >>> check, code-coverage check, UT, and end-to-end tests. All these are built >>> as automated github actions, new contributors can easily trigger and view >>> results when submitting patches. >>> >>> *Community* >>> >>> The community has developed an easy-to-read homepage for the project [4], >>> the website hosts all the materials related to the project including >>> versioned documentation, user docs, developer docs, design docs, >>> performance docs. It provides the top-level navigation to the software >>> download page, where links to all our previous releases. It also has the >>> pages for the new contributors on-boarding with the project, such as how to >>> join community meetings, events links, etc. >>> >>> The community shows appreciation to all contributors and welcomes all kinds >>> of contributions (not just for code). We have built an open, diverse >>> community and gathered many people to work together. With that, we have 41 >>> unique code contributors and some non-code contributors as well. Many of >>> them have becoming to be committers and PPMC members while working with the >>> community. There were 2 new mentors, 8 new committers, 2 new PPMC from 6 >>> different organizations [5] added in the incubating phase. And in total, >>> the project has 6 mentors, 21 PPMC, and 27 committers from at least 14 >>> different organizations. Community collaboration was done in a wide-public, >>> open manner, we leverage regular bi-weekly/weekly community meetings for 2 >>> different timezones [6] and dev/user slack channels, mailing lists for >>> offline discussions. >>> >>> *Independence* >>> >>> The project was initially donated by Cloudera, but with a diverse open >>> source community, it has been operated as an independent project since it >>> entered into ASF incubator. The committers and PPMC members are a group of >>> passionate people from at least 14 different organizations, such as >>> Alibaba, Apple, Cloudera, Databricks, LinkedIn, Microsoft, Snowflake, etc. >>> The project's success is not depending on any single entity. >>> >>> I have enough reasons to believe the project has done sustainable >>> development successfully in the Apache way. Again, please share your >>> thoughts, all YuniKorn contributors, committers, PPMC, and mentors. Thank >>> you! >>> >>> [1] https://lists.apache.org/thread/dno411y59g2pcy1d3kd7s3kdjz9jw65n >>> [2] >>> https://community.apache.org/apache-way/apache-project-maturity-model.html >>> >>> [3] https://yunikorn.apache.org/community/download >>> [4] https://yunikorn.apache.org/ >>> [5] https://incubator.apache.org/projects/yunikorn.html >>> >>> [6] >>> https://docs.google.com/document/d/165gzC7uhcKc5XDWiMYSRKBiPQBy2tDtXADUPuhGlUa0 > > > > -- > Twitter: https://twitter.com/holdenkarau > Books (Learning Spark, High Performance Spark, etc.): https://amzn.to/2MaRAG9 > YouTube Live Streams: https://www.youtube.com/user/holdenkarau --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org For additional commands, e-mail: dev-h...@yunikorn.apache.org
