None of the security lists mentioned in the security page [1] are moderated. They are private lists, i.e. not openly available for browsing in an archive, but not moderated. Using the private@ for YuniKorn does not seem to line up with what other projects do either. None of the recently graduated projects mention anything like using the private@ mailing list on their sites. They all have just used the general security link mentioned on their site unless they have a specific security@ list. YuniKorn would be the one standing out from what seems to be the norm. Examples from the last 2 years of graduated projects using a simple link or a text pointing to [1]: Pinot, Dolphinscheduler, Ratis, Echarts, Gobblin, TVM, Superset and Datasketches. There are more but I think this provides an overview of what is expected on graduation.
Wilfred [1] https://www.apache.org/security/ On Tue, 11 Jan 2022 at 18:21, Weiwei Yang <w...@apache.org> wrote: > > Hi Wilfred > > Adding a security@ mailing list sounds like a good idea, but I do not think > that is required in the current stage. > We can do that post-graduate. For now, the Apache security doc said > > > We strongly encourage you to report potential security vulnerabilities to > > one of our private security mailing lists first, before disclosing them in > > a public forum. > > I do not see any issue if we use our private@ mailing list for this purpose. > > On Mon, Jan 10, 2022 at 11:01 PM Wilfred Spiegelenburg <wilfr...@apache.org> > wrote: >> >> The private@ is a moderated list. This has two issues: a moderator >> needs to approve any message not sent by a PMC member. This will slow >> down the process of interaction with the reporter. It would also not >> reach the YuniKorn committers group as not all committers are part of >> the PMC. Security issues should be handled and worked on by all >> committers not just by the PMC members. >> >> The security notification update made to the website I think does not >> line up with the security guidelines referenced in the link provided >> in the dropdown menu of the YuniKorn site [1]. In that link there is a >> well defined way to report security issues. If we need to enhance and >> extend what we do we either establish a security@ mailing list and >> provide a static page with security related information on our site or >> we leave it as is. My preference would be to establish a security@ >> list and make all committers a member of that list. >> >> I think we need to roll back the website changes part of YUNIKORN-1006 >> [2] in PR [3] for the website. >> >> Wilfred >> >> [1] https://www.apache.org/security/ >> [2] https://issues.apache.org/jira/browse/YUNIKORN-1006 >> [3] https://github.com/apache/incubator-yunikorn-site/pull/105 >> >> On Tue, 11 Jan 2022 at 04:45, Holden Karau <hol...@pigscanfly.ca> wrote: >> > >> > For "The project provides a well-documented, secure and private channel to >> > report security issues, along with a documented way of responding to >> > them.' the standard that I've seen used is to tell people to e-mail >> > private@ when they think they might have a security related issue. I think >> > that would probably work well for Yunikorn too. >> > >> > >> > On Mon, Jan 10, 2022 at 7:04 AM Chenya Zhang <chenyazhangche...@gmail.com> >> > wrote: >> >> >> >> Hi Weiwei, >> >> >> >> Thanks for driving this! The evaluation is quite comprehensive overall. I >> >> checked our Apache project maturity guidelines and noticed the below >> >> three items. Not sure if we already have them but they are not blockers >> >> to our graduation. We could think more about them along the way. >> >> >> >> QU30 >> >> >> >> The project provides a well-documented, secure and private channel to >> >> report security issues, along with a documented way of responding to them. >> >> >> >> QU40 >> >> >> >> The project puts a high priority on backwards compatibility and aims to >> >> document any incompatible changes and provide tools and documentation to >> >> help users transition to new features. >> >> >> >> CO50 >> >> >> >> The project documents how contributors can earn more rights such as >> >> commit access or decision power, and applies these principles >> >> consistently. >> >> >> >> >> >> Thanks, >> >> >> >> Chenya >> >> >> >> >> >> >> >> On Mon, Jan 10, 2022 at 12:00 AM Weiwei Yang <w...@apache.org> wrote: >> >>> >> >>> Hi YuniKorn community and mentors >> >>> >> >>> Based on the discussion thread [1], after 2 years time of incubating, it >> >>> is >> >>> considered that now is a good time to graduate YuniKorn from the ASF >> >>> incubator and become a top-level Apache project. We have reviewed the ASF >> >>> project maturity model [2] and provided some assessment of the project's >> >>> maturity based on the guidelines. Details are included as the following. >> >>> Please read this and share your thoughts by replying to this email, your >> >>> feedback will be much appreciated!!! >> >>> >> >>> *Code, License, and Copyright* >> >>> >> >>> All code is maintained on github, under Apache 2.0 license. We have >> >>> reviewed all the dependencies and ensured they do not bring any license >> >>> issues. All the status files, license headers, and copyright are up to >> >>> date. >> >>> >> >>> *Release* >> >>> >> >>> The community has released 5 releases in the past 2 years, i.e v0.8, >> >>> v0.9, >> >>> v0.10, v0,11, and v0.12. These releases were done by 5 different release >> >>> managers [3] and indicate the community can create releases >> >>> independently. >> >>> We have also a well-documented release process, automated tools to help >> >>> new >> >>> release managers with the process. >> >>> >> >>> *Quality* >> >>> >> >>> The community has developed a comprehensive CI/CD pipeline as a guard of >> >>> the code quality. The pipeline runs per-commit license check, code-format >> >>> check, code-coverage check, UT, and end-to-end tests. All these are built >> >>> as automated github actions, new contributors can easily trigger and view >> >>> results when submitting patches. >> >>> >> >>> *Community* >> >>> >> >>> The community has developed an easy-to-read homepage for the project [4], >> >>> the website hosts all the materials related to the project including >> >>> versioned documentation, user docs, developer docs, design docs, >> >>> performance docs. It provides the top-level navigation to the software >> >>> download page, where links to all our previous releases. It also has the >> >>> pages for the new contributors on-boarding with the project, such as how >> >>> to >> >>> join community meetings, events links, etc. >> >>> >> >>> The community shows appreciation to all contributors and welcomes all >> >>> kinds >> >>> of contributions (not just for code). We have built an open, diverse >> >>> community and gathered many people to work together. With that, we have >> >>> 41 >> >>> unique code contributors and some non-code contributors as well. Many of >> >>> them have becoming to be committers and PPMC members while working with >> >>> the >> >>> community. There were 2 new mentors, 8 new committers, 2 new PPMC from 6 >> >>> different organizations [5] added in the incubating phase. And in total, >> >>> the project has 6 mentors, 21 PPMC, and 27 committers from at least 14 >> >>> different organizations. Community collaboration was done in a >> >>> wide-public, >> >>> open manner, we leverage regular bi-weekly/weekly community meetings for >> >>> 2 >> >>> different timezones [6] and dev/user slack channels, mailing lists for >> >>> offline discussions. >> >>> >> >>> *Independence* >> >>> >> >>> The project was initially donated by Cloudera, but with a diverse open >> >>> source community, it has been operated as an independent project since it >> >>> entered into ASF incubator. The committers and PPMC members are a group >> >>> of >> >>> passionate people from at least 14 different organizations, such as >> >>> Alibaba, Apple, Cloudera, Databricks, LinkedIn, Microsoft, Snowflake, >> >>> etc. >> >>> The project's success is not depending on any single entity. >> >>> >> >>> I have enough reasons to believe the project has done sustainable >> >>> development successfully in the Apache way. Again, please share your >> >>> thoughts, all YuniKorn contributors, committers, PPMC, and mentors. Thank >> >>> you! >> >>> >> >>> [1] https://lists.apache.org/thread/dno411y59g2pcy1d3kd7s3kdjz9jw65n >> >>> [2] >> >>> https://community.apache.org/apache-way/apache-project-maturity-model.html >> >>> >> >>> [3] https://yunikorn.apache.org/community/download >> >>> [4] https://yunikorn.apache.org/ >> >>> [5] https://incubator.apache.org/projects/yunikorn.html >> >>> >> >>> [6] >> >>> https://docs.google.com/document/d/165gzC7uhcKc5XDWiMYSRKBiPQBy2tDtXADUPuhGlUa0 >> > >> > >> > >> > -- >> > Twitter: https://twitter.com/holdenkarau >> > Books (Learning Spark, High Performance Spark, etc.): >> > https://amzn.to/2MaRAG9 >> > YouTube Live Streams: https://www.youtube.com/user/holdenkarau --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org For additional commands, e-mail: dev-h...@yunikorn.apache.org
