Hi Jarek, I’m also interested in learning security stuff, but I have no related experience. I'm not sure whether I fit the criteria.
Best, Wei > On Jan 6, 2024, at 12:56 PM, Amogh Desai <amoghdesai....@gmail.com> wrote: > > Hi Jarek, > > I have personally never done much on security, neither followed a lot of > blogs/learning materials regarding > it so far. I want to explore this untouched territory by myself, but I am > not so sure if this will be the right forum for "experimentation". > > So, not so sure if I cut the criteria here. > > Thanks & Regards, > Amogh Desai > > On Sat, Jan 6, 2024 at 2:14 AM Jarek Potiuk <ja...@potiuk.com> wrote: > >> * we have to know the candidate - they have to be either a committer >> or someone who has contributed a lot and we know who the person is. >> Stakeholders and community members that we know and can trust might >> also nominate some people who have security experience and already >> work on security (especially if they work on Airflow) outside of the >> community - we know our stakeholders have dedicated security people >> who have a good experience and they are not known to us simply due to >> "secrecy" around security. >> >> >> I'd say you both fulfill the criteria :) >> >> On Fri, Jan 5, 2024 at 9:22 PM utkarsh sharma <utkarshar...@gmail.com> >> wrote: >>> >>> Hey Jarek, >>> >>> I'm very interested in security-related stuff, but not sure if I fit the >>> bill. :) >>> >>> Thanks, >>> Utkarsh >>> >>> On Sat, Jan 6, 2024 at 1:43 AM Ryan Hatter >>> <ryan.hat...@astronomer.io.invalid> wrote: >>> >>>> What are the criteria? Just curious, as I'm quite confident I do not >> fit >>>> the criteria 😀 >>>> >>>> On Fri, Jan 5, 2024 at 9:21 AM Jarek Potiuk <ja...@potiuk.com> wrote: >>>> >>>>> Hello everyone, >>>>> >>>>> TL;DR; In short - we are looking for candidates to join our security >>>>> team. Please send a message to priv...@airflow.apache.org if you >> would >>>>> like to be added to the team. >>>>> >>>>> Following this: >>>>> >>>>> >>>> >> https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#periodic-security-team-rotation >>>>> I wanted to make a call for new security team members. Some of the >>>>> people will rotate out the team as well (we want to keep the team >>>>> small and lean and focused). >>>>> >>>>> First of all I have a great pleasure - in the name of the community - >>>>> to thank for all the work the current security team has accomplished. >>>>> >>>>> When we started discussions at the beginning of last year we had ~ 20 >>>>> outstanding issues, some of them older than 6 months and the process >>>>> of fixing them was not really cool. Today we have 0 (yes - 0) >>>>> unhandled issues. And we had >50 issues raised since so we not only >>>>> managed to fix the backlog but also we handled incoming issues. We >>>>> have much better understanding on how to handle them, we've improved >>>>> and clarified our security model, and we even have some standard ways >>>>> on handling and responding to similar issues when they come. And we >>>>> have learning material for new team members to take a look at. >>>>> >>>>> What's going to happen now? >>>>> >>>>> We want to partially rotate the team - first of all to give the >>>>> experienced and recognized community members an opportunity to learn >>>>> and participate in our security process, but also to distribute a bit >>>>> more knowledge on handling security issues in the community. >>>>> >>>>> I personally believe that security will become increasingly more >>>>> important in the years to come - things like Cyber Resilience Act >>>>> >> https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act >>>>> will create a lot of opportunities to make use of the knowledge you >>>>> can gain by becoming part of security team so I think it's also good >>>>> to have an experience in it in a professional portflolio. >>>>> >>>>> What does it mean to be in a security team? >>>>> >>>>> * You will be subscribed to receive reports from security researchers >>>>> >>>>> * You will take part in the discussions when we assess the issues - >>>>> whether they are real issues, what severity they have, how we can >>>>> address them >>>>> >>>>> * You will take part in discussing on how we can improve current >>>>> processes and even how to improve our security model and whether we >>>>> need to apply some systematic fixes >>>>> >>>>> * You will possibly volunteer to fix or review, or talk to other >>>>> community members to fix it help with handling some of the security >>>>> issues >>>>> >>>>> * The traffic on our security list (after we got through the backlog) >>>>> is moderate to small - there are maybe 1 new issue a week (usually >>>>> less than one) and we have occasional discussions that might be more >>>>> frequent >>>>> >>>>> * For the new team members - we have learning materials to get to >>>>> understand how things work - I will prepare some "on-boarding" >>>>> packages. >>>>> >>>>> * This is not a permanent "assignment" - as you see now we are doing >> a >>>>> partial rotation to get some people out and bring people in, it's ok >>>>> to leave the team if you have no time to take part and also if you >>>>> want to leave room for others. We just introduced it and we might >> want >>>>> to do ad-hoc rotation or more frequent regular rotation in the >> future. >>>>> This will also depend on the needs we will have. >>>>> >>>>> Few things for potential candidates: >>>>> >>>>> * we have to know the candidate - they have to be either a committer >>>>> or someone who has contributed a lot and we know who the person is. >>>>> Stakeholders and community members that we know and can trust might >>>>> also nominate some people who have security experience and already >>>>> work on security (especially if they work on Airflow) outside of the >>>>> community - we know our stakeholders have dedicated security people >>>>> who have a good experience and they are not known to us simply due to >>>>> "secrecy" around security. >>>>> >>>>> * we do not publicly announce who is in the team - also a bit due to >>>>> secrecy. But PMC members know who is in it. >>>>> >>>>> * joining the team requires signing an ICLA with the Apache Software >>>>> Foundation https://www.apache.org/licenses/icla.pdf where you state >>>>> who you are. For obvious reasons. >>>>> >>>>> * PMC members might join as they wish. People who are not in the PMC >>>>> (including committers) have to get a PMC approval. PMC members also >>>>> have access to the secur...@airflow.apache.org archive, so they can >>>>> follow the discussions there if they want, they are just not part of >>>>> the default team to get the notifications >>>>> >>>>> * Release managers are members of the security team by default as >> they >>>>> need to announce and manage the CVE announcements fixed in the >>>>> releases >>>>> >>>>> * we want the team to be lean and "small-ish" - so we might just >>>>> select a few people and thank others if we have too many candidates. >>>>> We currently have 15 people in the team. I think 10-15 is a good >>>>> number to keep. >>>>> >>>>> Feel free to reach out to priv...@airflow.apache.org if you would >> like >>>>> to apply and you think you fulfill the criteria :). >>>>> >>>>> >>>>> J. >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org >>>>> For additional commands, e-mail: dev-h...@airflow.apache.org >>>>> >>>>> >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org >> For additional commands, e-mail: dev-h...@airflow.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org For additional commands, e-mail: dev-h...@airflow.apache.org
