justinmclean opened a new issue, #180: URL: https://github.com/apache/airflow-steward/issues/180
## Summary The ASF `security_committers` policy (https://www.apache.org/security/committers.html) requires as a post-announcement step: > The project team updates the project's security pages. Neither `security-issue-sync` nor any other skill, process doc, or roles doc in this repo mentions updating the project's public security pages (e.g. `https://airflow.apache.org/security/`) after an advisory ships. A grep across the entire repo for "security page", "update page", and "/security" returns no matches in any skill or process document. This means the step is silently skipped in every advisory lifecycle run by the skills. ## Where the gap shows up `security-issue-sync` tracks the full advisory lifecycle through to CVE PUBLISHED state and issue close (Steps 13–15), but the signal table in Step 1d and the proposal items in Step 2b contain no entry for "update the project security pages". The release manager hand-off comment (fired at the `fix released` transition) also does not include this as a checklist item. ## Required changes 1. Add an entry to the Step 1d signal table in `security-issue-sync`: > `announced` label set and *Public advisory URL* body field > populated, but no "security pages updated" marker recorded → > propose adding a checklist item for the release manager to > update the project security pages. 2. Add a checklist item to the **release-manager hand-off comment** (fired at the `pr merged → fix released` transition, Step 2b) that explicitly lists updating the security pages as a required post-advisory action. 3. Add the step to `docs/security/process.md` and `docs/security/roles.md` under the release manager's post-announcement responsibilities. 4. Optionally: add a project-config key in `projects/_template/project.md` for the security pages URL (e.g. `security_pages_url`) so the skill can render a clickable link in the checklist item rather than a generic placeholder. ## Policy reference - https://www.apache.org/security/committers.html — "Complete" section, first bullet ## Notes This is a documentation and skill-checklist gap, not a process logic change. The release manager still performs the update manually; the skill just needs to prompt them to do it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
