justinmclean opened a new issue, #177: URL: https://github.com/apache/airflow-steward/issues/177
The ASF `security_committers` policy (https://www.apache.org/security/committers.html) states: > If the project does not have a dedicated `[email protected]` mailing > list, all further communication regarding the vulnerability should be copied to > `[email protected]`. All skills in airflow-steward are written assuming the adopting project has a `security@<project>.apache.org` list (as Airflow does). There is no pre-flight check that detects when an adopter has no dedicated security list, and no enforcement that `[email protected]` is CC'd on all communications in that case. As a result, an adopter project without a dedicated security list could run the full vulnerability handling workflow — reporter acknowledgements, rejection notices, status updates, advisory emails — without ever copying `[email protected]`, in breach of ASF policy. ## Affected skills All skills that produce outbound email drafts or guide communication steps: - `security-issue-sync` (status updates, acknowledgements) - `security-issue-invalidate` (rejection notices) - `security-issue-triage` (triage proposals that lead to rejection/acceptance) - `security-cve-allocate` (CVE request relay for non-PMC path) ## Required changes 1. Add a field to `<project-config>/project.md` (e.g. `security_list:`) that adopters set to their project-specific security list address, or leave empty if they don't have one. 2. In `security-issue-sync` Step 0 pre-flight: if `security_list:` is empty or absent, surface a hard warning and record `cc_apache_security: true` in the observed-state bag. 3. When `cc_apache_security: true`, pre-populate `[email protected]` in the CC field of every Gmail draft template produced by the skills above. 4. Document this behaviour in `docs/setup/adopter-config.md` so adopters are aware of the requirement. ## Policy reference - https://www.apache.org/security/committers.html — "Project-specific security mailing lists" and "Report" sections ## Notes This does not affect Airflow itself (which has `[email protected]`), but is important for correctness of airflow-steward as a reusable framework. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
