Hi Mark, In addition to the reasons Roman listed, the current structure also allows us to allocate more compute resources to all of these Apache packages, rather than all of them sharing the CPUs allocated for a single OSS-Fuzz "project".
We can definitely ensure that secur...@commons.apache.org is included on all relevant Apache projects going forward, and other than that I believe there's not much other difference in terms of the end result (i.e. bug reports) that end up getting filed. Does that sound OK to you? Or did you have other concerns around the current directory structure? Best regards, -- Oliver On Wed, 9 Nov 2022 at 21:31, Roman Wagner <wag...@code-intelligence.com> wrote: > Hi Mark, > > I have added @Oliver Chang <och...@google.com> from the Google OSS-Fuzz > to the thread. > > I had a short discussion with Oliver. There could be different issues in > OSS-Fuzz by design If all apache-commons components will move under > apache-commons directory: > > - it is not scalable and will slow down both fuzzing and triage (e.g. > automated bisections, fix verification) > - changing the structure this way will invalidate all existing open > testcases, and cause new ones to be filed, which will result in a fair bit > of spam. > > My proposal would be that "secur...@commons.apache.org" is added to all > individual apache-commons components. > I am not sure how it is possible to ensure that future onboardings of > apache-commons components will automatically have " > secur...@commons.apache.org" as primary contact. OSS-Fuzz could have some > additional documentation for that. @Oliver Chang <och...@google.com> do > you have any ideas here? > > Best regards > Roman > > On Tue, Nov 8, 2022 at 5:56 PM Mark Thomas <ma...@apache.org> wrote: > >> Thanks for the update. >> >> I'll wait for that PR to be resolved before taking any further action. >> >> Mark >> >> >> On 08/11/2022 16:42, Roman Wagner wrote: >> > Hi Mark, >> > >> > there is a PR open in oss-fuzz >> https://github.com/google/oss-fuzz/pull/8933 >> > . >> > >> > Best regards >> > Roman >> > >> > On Tue, Nov 8, 2022 at 4:15 PM Gary Gregory <garydgreg...@gmail.com> >> wrote: >> > >> >> Sounds good. >> >> >> >> Gary >> >> >> >> On Tue, Nov 8, 2022, 10:07 Mark Thomas <ma...@apache.org> wrote: >> >> >> >>> There has been no response to this email from anyone from Code >> >>> Intelligence. >> >>> >> >>> Unless there are objections from the Apache Commons Community my next >> >>> step will be to submit a PR to have the following modules removed from >> >>> oss-fuzz: >> >>> >> >>> apache-commons-bcel >> >>> apache-commons-beanutils >> >>> apache-commons-cli >> >>> apache-commons-codec >> >>> apache-commons-collections >> >>> apache-commons-configuration >> >>> apache-commons-io >> >>> apache-commons-jxpath >> >>> apache-commons-lang >> >>> apache-commons-logging >> >>> >> >>> Code Intelligence (or anyone else) will remain free to add them back >> in >> >>> the right place - under apache-commons should they wish to do so. >> >>> >> >>> Mark >> >>> >> >>> >> >>> >> >>> On 19/10/2022 10:56, Mark Thomas wrote: >> >>>> Hi, >> >>>> >> >>>> You are receiving this email as you are currently configured as the >> >>>> recipients for oss-fuzz reports for Apache Commons JXPath. >> >>>> >> >>>> As per the discussion on the Apache Commons dev list[1], please make >> >>> the >> >>>> following configuration changes to the oss-fuzz integrations with >> >>>> immediate effect: >> >>>> >> >>>> - Move all oss-fuzz integrations added for *ALL* Apache Commons >> >>>> components to the oss-fuzz module for Apache-Commons: >> >>>> >> >>>> >> >>> >> https://github.com/google/oss-fuzz/tree/master/projects/apache-commons >> >>>> >> >>>> There should *NOT* be separate oss-fuzz modules for each >> component >> >>>> >> >>>> >> >>>> - Add the Google account for "secur...@commons.apache.org" to >> >>>> - the notifications for these issues >> >>>> - the ACL to enable this account to access the details for each >> >>> report >> >>>> >> >>>> >> >>>> Please notify dev@commons.apache.org and secur...@commons.apache.org >> >>>> when these changes have been completed. >> >>>> >> >>>> Thanks, >> >>>> >> >>>> Mark >> >>>> >> >>>> >> >>>> >> >>>> [1] >> https://lists.apache.org/thread/53vwy3g8w3f8nydz7jvxm8snrqx7msln >> >>>> >> >>>> --------------------------------------------------------------------- >> >>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> >>>> For additional commands, e-mail: dev-h...@commons.apache.org >> >>>> >> >>> >> >>> --------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> >>> For additional commands, e-mail: dev-h...@commons.apache.org >> >>> >> >>> >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > -- > > Roman Wagner > Application Security Engineer > > Code Intelligence > Rheinwerkallee 6 > 53227 Bonn > > Amtsgericht Bonn > HRB 23408 > > Geschäftsführer: Sergej Dechand, Dr. Khaled Yakdan >
