Hey Jarek, I'm very interested in security-related stuff, but not sure if I fit the bill. :)
Thanks, Utkarsh On Sat, Jan 6, 2024 at 1:43 AM Ryan Hatter <ryan.hat...@astronomer.io.invalid> wrote: > What are the criteria? Just curious, as I'm quite confident I do not fit > the criteria 😀 > > On Fri, Jan 5, 2024 at 9:21 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > Hello everyone, > > > > TL;DR; In short - we are looking for candidates to join our security > > team. Please send a message to priv...@airflow.apache.org if you would > > like to be added to the team. > > > > Following this: > > > > > https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#periodic-security-team-rotation > > I wanted to make a call for new security team members. Some of the > > people will rotate out the team as well (we want to keep the team > > small and lean and focused). > > > > First of all I have a great pleasure - in the name of the community - > > to thank for all the work the current security team has accomplished. > > > > When we started discussions at the beginning of last year we had ~ 20 > > outstanding issues, some of them older than 6 months and the process > > of fixing them was not really cool. Today we have 0 (yes - 0) > > unhandled issues. And we had >50 issues raised since so we not only > > managed to fix the backlog but also we handled incoming issues. We > > have much better understanding on how to handle them, we've improved > > and clarified our security model, and we even have some standard ways > > on handling and responding to similar issues when they come. And we > > have learning material for new team members to take a look at. > > > > What's going to happen now? > > > > We want to partially rotate the team - first of all to give the > > experienced and recognized community members an opportunity to learn > > and participate in our security process, but also to distribute a bit > > more knowledge on handling security issues in the community. > > > > I personally believe that security will become increasingly more > > important in the years to come - things like Cyber Resilience Act > > https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act > > will create a lot of opportunities to make use of the knowledge you > > can gain by becoming part of security team so I think it's also good > > to have an experience in it in a professional portflolio. > > > > What does it mean to be in a security team? > > > > * You will be subscribed to receive reports from security researchers > > > > * You will take part in the discussions when we assess the issues - > > whether they are real issues, what severity they have, how we can > > address them > > > > * You will take part in discussing on how we can improve current > > processes and even how to improve our security model and whether we > > need to apply some systematic fixes > > > > * You will possibly volunteer to fix or review, or talk to other > > community members to fix it help with handling some of the security > > issues > > > > * The traffic on our security list (after we got through the backlog) > > is moderate to small - there are maybe 1 new issue a week (usually > > less than one) and we have occasional discussions that might be more > > frequent > > > > * For the new team members - we have learning materials to get to > > understand how things work - I will prepare some "on-boarding" > > packages. > > > > * This is not a permanent "assignment" - as you see now we are doing a > > partial rotation to get some people out and bring people in, it's ok > > to leave the team if you have no time to take part and also if you > > want to leave room for others. We just introduced it and we might want > > to do ad-hoc rotation or more frequent regular rotation in the future. > > This will also depend on the needs we will have. > > > > Few things for potential candidates: > > > > * we have to know the candidate - they have to be either a committer > > or someone who has contributed a lot and we know who the person is. > > Stakeholders and community members that we know and can trust might > > also nominate some people who have security experience and already > > work on security (especially if they work on Airflow) outside of the > > community - we know our stakeholders have dedicated security people > > who have a good experience and they are not known to us simply due to > > "secrecy" around security. > > > > * we do not publicly announce who is in the team - also a bit due to > > secrecy. But PMC members know who is in it. > > > > * joining the team requires signing an ICLA with the Apache Software > > Foundation https://www.apache.org/licenses/icla.pdf where you state > > who you are. For obvious reasons. > > > > * PMC members might join as they wish. People who are not in the PMC > > (including committers) have to get a PMC approval. PMC members also > > have access to the secur...@airflow.apache.org archive, so they can > > follow the discussions there if they want, they are just not part of > > the default team to get the notifications > > > > * Release managers are members of the security team by default as they > > need to announce and manage the CVE announcements fixed in the > > releases > > > > * we want the team to be lean and "small-ish" - so we might just > > select a few people and thank others if we have too many candidates. > > We currently have 15 people in the team. I think 10-15 is a good > > number to keep. > > > > Feel free to reach out to priv...@airflow.apache.org if you would like > > to apply and you think you fulfill the criteria :). > > > > > > J. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > > For additional commands, e-mail: dev-h...@airflow.apache.org > > > > >