justinmclean opened a new issue, #181: URL: https://github.com/apache/airflow-steward/issues/181
## Summary The ASF security_committers policy (https://www.apache.org/security/committers.html) states: If the project does not have a dedicated [email protected] mailing list, all further communication regarding the vulnerability should be copied to [email protected]. The project template (projects/_template/project.md) already has security_list as a required TODO field and asf_security_list: [email protected] hardcoded as the ASF-wide fallback. However, no skill validates that security_list is actually set to a non-blank value before running, and no skill falls back to asf_security_list if it is blank. If an adopter leaves security_list empty, every Gmail draft generated by the skills will silently have a blank CC field, violating the ASF policy CC requirement without a warning. ## Affected skills security-issue-sync, security-issue-invalidate, security-issue-import, security-cve-allocate — any skill that produces outbound Gmail drafts. ## Required changes In security-issue-sync Step 0 pre-flight, add a check that reads security_list from <project-config>/project.md. If blank or missing, surface a hard warning and record cc_fallback: [email protected] in the observed-state bag. In every Gmail draft template across all affected skills, resolve the CC recipient to security_list if non-blank; otherwise, to asf_security_list. Add a note to docs/setup/adopter-config.MD documenting the blank-security_list behavior and why configuring it correctly matters. ## Policy reference https://www.apache.org/security/committers.html — "Project-specific security mailing lists" and "Report" sections -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
