Thanks Dian Fu for this proposal. +1 for creating security mail list. To be noticed, security mail list is private mail list, could not be subscribed publicly. FYI, apache member can create mail list using this self service tool https://selfserve.apache.org/
jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 下午12:25写道: > Hi Dian, > > Thanks a lot for bringing up this discussion. This is very important for > Flink community! > > I think setup a security mailing list for Flink is pretty nice although ` > secur...@apache.org` can be used and the report will be forwarded to Flink > private mailing list if there is no project specific security mailing > list. One thing that is pretty sure is that we should guide users on how to > report security issues in Flink website as security vulnerabilities should > not be entered into a project's public bug tracker directly according to > the guidance for how to handling the security vulnerabilities in ASF > site[1]. > > Besides, we need also add a security page in Flink which shows the > information about the security vulnerabilities per the guidance of the > security vulnerabilities in ASF site[2]. Projects such as spark[3], > kafka[4], etc already have such a page. > > Best,Jincheng > > [1] https://www.apache.org/security/committers.html#vulnerability-handling > [2] https://www.apache.org/security/committers.html#publishing-information > [3] https://spark.apache.org/security.html > [4] https://kafka.apache.org/cve-list > > Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > > > Hi all, > > > > I'm reaching out to see if there is an existing security specific mailing > > list in Flink. If there is, we should expose it in the offcial web site > of > > Flink [1] to guide people to report security issues to this mailing list. > > If it still doesn't exist, I'm here to propose to setup a > > secur...@flink.apache.org mailing list for reporting and discussion of > > security specific issues. Currently, most well known apache projects such > > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc have a > > security specific mailing list. It would be nice if there is also a > > security specific mailing list for Flink. > > > > Note that users should report security issues to the security mailing > > list. > > > > Looking forward to your feedback! > > > > Regards, > > Dian > > > > [1] https://flink.apache.org/community.html > > [2] https://commons.apache.org/mail-lists.html > > [3] https://hadoop.apache.org/mailing_lists.html > > [4] https://spark.apache.org/community.html > > [5] https://kafka.apache.org/project-security.html > > [6] https://hive.apache.org/mailing_lists.html > -- Best Regards Jeff Zhang
