* we have to know the candidate - they have to be either a committer or someone who has contributed a lot and we know who the person is. Stakeholders and community members that we know and can trust might also nominate some people who have security experience and already work on security (especially if they work on Airflow) outside of the community - we know our stakeholders have dedicated security people who have a good experience and they are not known to us simply due to "secrecy" around security.
I'd say you both fulfill the criteria :) On Fri, Jan 5, 2024 at 9:22 PM utkarsh sharma <utkarshar...@gmail.com> wrote: > > Hey Jarek, > > I'm very interested in security-related stuff, but not sure if I fit the > bill. :) > > Thanks, > Utkarsh > > On Sat, Jan 6, 2024 at 1:43 AM Ryan Hatter > <ryan.hat...@astronomer.io.invalid> wrote: > > > What are the criteria? Just curious, as I'm quite confident I do not fit > > the criteria 😀 > > > > On Fri, Jan 5, 2024 at 9:21 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > Hello everyone, > > > > > > TL;DR; In short - we are looking for candidates to join our security > > > team. Please send a message to priv...@airflow.apache.org if you would > > > like to be added to the team. > > > > > > Following this: > > > > > > > > https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#periodic-security-team-rotation > > > I wanted to make a call for new security team members. Some of the > > > people will rotate out the team as well (we want to keep the team > > > small and lean and focused). > > > > > > First of all I have a great pleasure - in the name of the community - > > > to thank for all the work the current security team has accomplished. > > > > > > When we started discussions at the beginning of last year we had ~ 20 > > > outstanding issues, some of them older than 6 months and the process > > > of fixing them was not really cool. Today we have 0 (yes - 0) > > > unhandled issues. And we had >50 issues raised since so we not only > > > managed to fix the backlog but also we handled incoming issues. We > > > have much better understanding on how to handle them, we've improved > > > and clarified our security model, and we even have some standard ways > > > on handling and responding to similar issues when they come. And we > > > have learning material for new team members to take a look at. > > > > > > What's going to happen now? > > > > > > We want to partially rotate the team - first of all to give the > > > experienced and recognized community members an opportunity to learn > > > and participate in our security process, but also to distribute a bit > > > more knowledge on handling security issues in the community. > > > > > > I personally believe that security will become increasingly more > > > important in the years to come - things like Cyber Resilience Act > > > https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act > > > will create a lot of opportunities to make use of the knowledge you > > > can gain by becoming part of security team so I think it's also good > > > to have an experience in it in a professional portflolio. > > > > > > What does it mean to be in a security team? > > > > > > * You will be subscribed to receive reports from security researchers > > > > > > * You will take part in the discussions when we assess the issues - > > > whether they are real issues, what severity they have, how we can > > > address them > > > > > > * You will take part in discussing on how we can improve current > > > processes and even how to improve our security model and whether we > > > need to apply some systematic fixes > > > > > > * You will possibly volunteer to fix or review, or talk to other > > > community members to fix it help with handling some of the security > > > issues > > > > > > * The traffic on our security list (after we got through the backlog) > > > is moderate to small - there are maybe 1 new issue a week (usually > > > less than one) and we have occasional discussions that might be more > > > frequent > > > > > > * For the new team members - we have learning materials to get to > > > understand how things work - I will prepare some "on-boarding" > > > packages. > > > > > > * This is not a permanent "assignment" - as you see now we are doing a > > > partial rotation to get some people out and bring people in, it's ok > > > to leave the team if you have no time to take part and also if you > > > want to leave room for others. We just introduced it and we might want > > > to do ad-hoc rotation or more frequent regular rotation in the future. > > > This will also depend on the needs we will have. > > > > > > Few things for potential candidates: > > > > > > * we have to know the candidate - they have to be either a committer > > > or someone who has contributed a lot and we know who the person is. > > > Stakeholders and community members that we know and can trust might > > > also nominate some people who have security experience and already > > > work on security (especially if they work on Airflow) outside of the > > > community - we know our stakeholders have dedicated security people > > > who have a good experience and they are not known to us simply due to > > > "secrecy" around security. > > > > > > * we do not publicly announce who is in the team - also a bit due to > > > secrecy. But PMC members know who is in it. > > > > > > * joining the team requires signing an ICLA with the Apache Software > > > Foundation https://www.apache.org/licenses/icla.pdf where you state > > > who you are. For obvious reasons. > > > > > > * PMC members might join as they wish. People who are not in the PMC > > > (including committers) have to get a PMC approval. PMC members also > > > have access to the secur...@airflow.apache.org archive, so they can > > > follow the discussions there if they want, they are just not part of > > > the default team to get the notifications > > > > > > * Release managers are members of the security team by default as they > > > need to announce and manage the CVE announcements fixed in the > > > releases > > > > > > * we want the team to be lean and "small-ish" - so we might just > > > select a few people and thank others if we have too many candidates. > > > We currently have 15 people in the team. I think 10-15 is a good > > > number to keep. > > > > > > Feel free to reach out to priv...@airflow.apache.org if you would like > > > to apply and you think you fulfill the criteria :). > > > > > > > > > J. > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > > > For additional commands, e-mail: dev-h...@airflow.apache.org > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org For additional commands, e-mail: dev-h...@airflow.apache.org
