Hi Jarek, I have personally never done much on security, neither followed a lot of blogs/learning materials regarding it so far. I want to explore this untouched territory by myself, but I am not so sure if this will be the right forum for "experimentation".
So, not so sure if I cut the criteria here. Thanks & Regards, Amogh Desai On Sat, Jan 6, 2024 at 2:14 AM Jarek Potiuk <ja...@potiuk.com> wrote: > * we have to know the candidate - they have to be either a committer > or someone who has contributed a lot and we know who the person is. > Stakeholders and community members that we know and can trust might > also nominate some people who have security experience and already > work on security (especially if they work on Airflow) outside of the > community - we know our stakeholders have dedicated security people > who have a good experience and they are not known to us simply due to > "secrecy" around security. > > > I'd say you both fulfill the criteria :) > > On Fri, Jan 5, 2024 at 9:22 PM utkarsh sharma <utkarshar...@gmail.com> > wrote: > > > > Hey Jarek, > > > > I'm very interested in security-related stuff, but not sure if I fit the > > bill. :) > > > > Thanks, > > Utkarsh > > > > On Sat, Jan 6, 2024 at 1:43 AM Ryan Hatter > > <ryan.hat...@astronomer.io.invalid> wrote: > > > > > What are the criteria? Just curious, as I'm quite confident I do not > fit > > > the criteria 😀 > > > > > > On Fri, Jan 5, 2024 at 9:21 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > > > Hello everyone, > > > > > > > > TL;DR; In short - we are looking for candidates to join our security > > > > team. Please send a message to priv...@airflow.apache.org if you > would > > > > like to be added to the team. > > > > > > > > Following this: > > > > > > > > > > > > https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#periodic-security-team-rotation > > > > I wanted to make a call for new security team members. Some of the > > > > people will rotate out the team as well (we want to keep the team > > > > small and lean and focused). > > > > > > > > First of all I have a great pleasure - in the name of the community - > > > > to thank for all the work the current security team has accomplished. > > > > > > > > When we started discussions at the beginning of last year we had ~ 20 > > > > outstanding issues, some of them older than 6 months and the process > > > > of fixing them was not really cool. Today we have 0 (yes - 0) > > > > unhandled issues. And we had >50 issues raised since so we not only > > > > managed to fix the backlog but also we handled incoming issues. We > > > > have much better understanding on how to handle them, we've improved > > > > and clarified our security model, and we even have some standard ways > > > > on handling and responding to similar issues when they come. And we > > > > have learning material for new team members to take a look at. > > > > > > > > What's going to happen now? > > > > > > > > We want to partially rotate the team - first of all to give the > > > > experienced and recognized community members an opportunity to learn > > > > and participate in our security process, but also to distribute a bit > > > > more knowledge on handling security issues in the community. > > > > > > > > I personally believe that security will become increasingly more > > > > important in the years to come - things like Cyber Resilience Act > > > > > https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act > > > > will create a lot of opportunities to make use of the knowledge you > > > > can gain by becoming part of security team so I think it's also good > > > > to have an experience in it in a professional portflolio. > > > > > > > > What does it mean to be in a security team? > > > > > > > > * You will be subscribed to receive reports from security researchers > > > > > > > > * You will take part in the discussions when we assess the issues - > > > > whether they are real issues, what severity they have, how we can > > > > address them > > > > > > > > * You will take part in discussing on how we can improve current > > > > processes and even how to improve our security model and whether we > > > > need to apply some systematic fixes > > > > > > > > * You will possibly volunteer to fix or review, or talk to other > > > > community members to fix it help with handling some of the security > > > > issues > > > > > > > > * The traffic on our security list (after we got through the backlog) > > > > is moderate to small - there are maybe 1 new issue a week (usually > > > > less than one) and we have occasional discussions that might be more > > > > frequent > > > > > > > > * For the new team members - we have learning materials to get to > > > > understand how things work - I will prepare some "on-boarding" > > > > packages. > > > > > > > > * This is not a permanent "assignment" - as you see now we are doing > a > > > > partial rotation to get some people out and bring people in, it's ok > > > > to leave the team if you have no time to take part and also if you > > > > want to leave room for others. We just introduced it and we might > want > > > > to do ad-hoc rotation or more frequent regular rotation in the > future. > > > > This will also depend on the needs we will have. > > > > > > > > Few things for potential candidates: > > > > > > > > * we have to know the candidate - they have to be either a committer > > > > or someone who has contributed a lot and we know who the person is. > > > > Stakeholders and community members that we know and can trust might > > > > also nominate some people who have security experience and already > > > > work on security (especially if they work on Airflow) outside of the > > > > community - we know our stakeholders have dedicated security people > > > > who have a good experience and they are not known to us simply due to > > > > "secrecy" around security. > > > > > > > > * we do not publicly announce who is in the team - also a bit due to > > > > secrecy. But PMC members know who is in it. > > > > > > > > * joining the team requires signing an ICLA with the Apache Software > > > > Foundation https://www.apache.org/licenses/icla.pdf where you state > > > > who you are. For obvious reasons. > > > > > > > > * PMC members might join as they wish. People who are not in the PMC > > > > (including committers) have to get a PMC approval. PMC members also > > > > have access to the secur...@airflow.apache.org archive, so they can > > > > follow the discussions there if they want, they are just not part of > > > > the default team to get the notifications > > > > > > > > * Release managers are members of the security team by default as > they > > > > need to announce and manage the CVE announcements fixed in the > > > > releases > > > > > > > > * we want the team to be lean and "small-ish" - so we might just > > > > select a few people and thank others if we have too many candidates. > > > > We currently have 15 people in the team. I think 10-15 is a good > > > > number to keep. > > > > > > > > Feel free to reach out to priv...@airflow.apache.org if you would > like > > > > to apply and you think you fulfill the criteria :). > > > > > > > > > > > > J. > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > > > > For additional commands, e-mail: dev-h...@airflow.apache.org > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > For additional commands, e-mail: dev-h...@airflow.apache.org > >
