Hi Wilfred Adding a security@ mailing list sounds like a good idea, but I do not think that is required in the current stage. We can do that post-graduate. For now, the Apache security doc said
> We strongly encourage you to report potential security vulnerabilities to one of our private security mailing lists first, before disclosing them in a public forum. I do not see any issue if we use our private@ mailing list for this purpose. On Mon, Jan 10, 2022 at 11:01 PM Wilfred Spiegelenburg <wilfr...@apache.org> wrote: > The private@ is a moderated list. This has two issues: a moderator > needs to approve any message not sent by a PMC member. This will slow > down the process of interaction with the reporter. It would also not > reach the YuniKorn committers group as not all committers are part of > the PMC. Security issues should be handled and worked on by all > committers not just by the PMC members. > > The security notification update made to the website I think does not > line up with the security guidelines referenced in the link provided > in the dropdown menu of the YuniKorn site [1]. In that link there is a > well defined way to report security issues. If we need to enhance and > extend what we do we either establish a security@ mailing list and > provide a static page with security related information on our site or > we leave it as is. My preference would be to establish a security@ > list and make all committers a member of that list. > > I think we need to roll back the website changes part of YUNIKORN-1006 > [2] in PR [3] for the website. > > Wilfred > > [1] https://www.apache.org/security/ > [2] https://issues.apache.org/jira/browse/YUNIKORN-1006 > [3] https://github.com/apache/incubator-yunikorn-site/pull/105 > > On Tue, 11 Jan 2022 at 04:45, Holden Karau <hol...@pigscanfly.ca> wrote: > > > > For "The project provides a well-documented, secure and private channel > to report security issues, along with a documented way of responding to > them.' the standard that I've seen used is to tell people to e-mail private@ > when they think they might have a security related issue. I think that > would probably work well for Yunikorn too. > > > > > > On Mon, Jan 10, 2022 at 7:04 AM Chenya Zhang < > chenyazhangche...@gmail.com> wrote: > >> > >> Hi Weiwei, > >> > >> Thanks for driving this! The evaluation is quite comprehensive overall. > I checked our Apache project maturity guidelines and noticed the below > three items. Not sure if we already have them but they are not blockers to > our graduation. We could think more about them along the way. > >> > >> QU30 > >> > >> The project provides a well-documented, secure and private channel to > report security issues, along with a documented way of responding to them. > >> > >> QU40 > >> > >> The project puts a high priority on backwards compatibility and aims to > document any incompatible changes and provide tools and documentation to > help users transition to new features. > >> > >> CO50 > >> > >> The project documents how contributors can earn more rights such as > commit access or decision power, and applies these principles consistently. > >> > >> > >> Thanks, > >> > >> Chenya > >> > >> > >> > >> On Mon, Jan 10, 2022 at 12:00 AM Weiwei Yang <w...@apache.org> wrote: > >>> > >>> Hi YuniKorn community and mentors > >>> > >>> Based on the discussion thread [1], after 2 years time of incubating, > it is > >>> considered that now is a good time to graduate YuniKorn from the ASF > >>> incubator and become a top-level Apache project. We have reviewed the > ASF > >>> project maturity model [2] and provided some assessment of the > project's > >>> maturity based on the guidelines. Details are included as the > following. > >>> Please read this and share your thoughts by replying to this email, > your > >>> feedback will be much appreciated!!! > >>> > >>> *Code, License, and Copyright* > >>> > >>> All code is maintained on github, under Apache 2.0 license. We have > >>> reviewed all the dependencies and ensured they do not bring any license > >>> issues. All the status files, license headers, and copyright are up to > date. > >>> > >>> *Release* > >>> > >>> The community has released 5 releases in the past 2 years, i.e v0.8, > v0.9, > >>> v0.10, v0,11, and v0.12. These releases were done by 5 different > release > >>> managers [3] and indicate the community can create releases > independently. > >>> We have also a well-documented release process, automated tools to > help new > >>> release managers with the process. > >>> > >>> *Quality* > >>> > >>> The community has developed a comprehensive CI/CD pipeline as a guard > of > >>> the code quality. The pipeline runs per-commit license check, > code-format > >>> check, code-coverage check, UT, and end-to-end tests. All these are > built > >>> as automated github actions, new contributors can easily trigger and > view > >>> results when submitting patches. > >>> > >>> *Community* > >>> > >>> The community has developed an easy-to-read homepage for the project > [4], > >>> the website hosts all the materials related to the project including > >>> versioned documentation, user docs, developer docs, design docs, > >>> performance docs. It provides the top-level navigation to the software > >>> download page, where links to all our previous releases. It also has > the > >>> pages for the new contributors on-boarding with the project, such as > how to > >>> join community meetings, events links, etc. > >>> > >>> The community shows appreciation to all contributors and welcomes all > kinds > >>> of contributions (not just for code). We have built an open, diverse > >>> community and gathered many people to work together. With that, we > have 41 > >>> unique code contributors and some non-code contributors as well. Many > of > >>> them have becoming to be committers and PPMC members while working > with the > >>> community. There were 2 new mentors, 8 new committers, 2 new PPMC from > 6 > >>> different organizations [5] added in the incubating phase. And in > total, > >>> the project has 6 mentors, 21 PPMC, and 27 committers from at least 14 > >>> different organizations. Community collaboration was done in a > wide-public, > >>> open manner, we leverage regular bi-weekly/weekly community meetings > for 2 > >>> different timezones [6] and dev/user slack channels, mailing lists for > >>> offline discussions. > >>> > >>> *Independence* > >>> > >>> The project was initially donated by Cloudera, but with a diverse open > >>> source community, it has been operated as an independent project since > it > >>> entered into ASF incubator. The committers and PPMC members are a > group of > >>> passionate people from at least 14 different organizations, such as > >>> Alibaba, Apple, Cloudera, Databricks, LinkedIn, Microsoft, Snowflake, > etc. > >>> The project's success is not depending on any single entity. > >>> > >>> I have enough reasons to believe the project has done sustainable > >>> development successfully in the Apache way. Again, please share your > >>> thoughts, all YuniKorn contributors, committers, PPMC, and mentors. > Thank > >>> you! > >>> > >>> [1] https://lists.apache.org/thread/dno411y59g2pcy1d3kd7s3kdjz9jw65n > >>> [2] > >>> > https://community.apache.org/apache-way/apache-project-maturity-model.html > >>> > >>> [3] https://yunikorn.apache.org/community/download > >>> [4] https://yunikorn.apache.org/ > >>> [5] https://incubator.apache.org/projects/yunikorn.html > >>> > >>> [6] > >>> > https://docs.google.com/document/d/165gzC7uhcKc5XDWiMYSRKBiPQBy2tDtXADUPuhGlUa0 > > > > > > > > -- > > Twitter: https://twitter.com/holdenkarau > > Books (Learning Spark, High Performance Spark, etc.): > https://amzn.to/2MaRAG9 > > YouTube Live Streams: https://www.youtube.com/user/holdenkarau >
