On 11/10/2022 16:25, Mike Drob wrote:
Thanks for this outline, Mark. Some questions in line.
Mike
On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas <ma...@apache.org> wrote:
Roman - don't do anything yet.
Commons folk, I suggest the following which is based on how we have
oss-fuzz setup on Tomcat.
1. Create a Google account for fuzz-testing@c.a.o
2. Put the password for the account in the PMC private shared repo so
any PMC member can access these reports.
If the dashboard doesn't support groups then maybe this is the only way.
Otherwise I think it would be very nice if we could use ASF committer info
or possibly github info since that often has mirrored groups of our
internal organizational structure.
Yes this would be ideal, but isn't currently possible.
3. Get Roman to add this account to the JXPath oss-fuzz project and the
projects for any other Commons components they have set up
Maybe it makes sense to group all of the apache-commons-* projects under
the general apache-commons module at
https://github.com/google/oss-fuzz/tree/master/projects/
That module is the one that was initially set up, including compress and
imaging as mentioned by Matt S upthread.
+1.
4. Review the reports once we have access via fuzz-testing@c.a.o (I'll
volunteer to help with this as I have some experience from Tomcat which
should speed things up)
I would be happy to volunteer.
Tx
5. Ask the ASF security to get all CVEs allocated by Google to Apache
Commons components transferred to the ASF (we can edit them once we have
ownership)
6. Ask the ASF security team to contact Google to make sure that Google
follows the CNA rules and stops allocating CVEs for projects outside of
its scope.
If there is agreement to this approach, I'll volunteer to get the things
on the list above done. Depending on the number of issues, I may be
asking for help with 4.
Given this is all public, I don't see any need to use the security@c.a.o
list unless we come across a valid, non-public issue.
Based on the feedback I'm amending my proposal to replace the original
step 3) with:
3a) Get the new shared account added to the existing apache-commons module
3b) Request that Code Intelligence move these individual modules under
the existing apache-commons module.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
