Hi Marco, On Sun, 6 Oct 2019 at 00:09, Marco de Abreu <marco.g.ab...@gmail.com> wrote:
> Hi, > > These are very good points! I also noticed the security incident reporting > when I reviewed it and I agree that it's something we have to work out. > > I will work on something tomorrow and provide a draft for the community to > review. Do you think it's really necessary to have a separate email alias > or is it sufficient to use private@? > > There is actually a lot of good information related to security issues for ASF projects here: http://www.apache.org/security/ This page suggests a typical procedure on how to handle security issues: https://www.apache.org/security/committers.html What I read in these pages, is that smaller projects tend to delegate security issue reporting to the ASF-wide security mailing list, whereas larger projects (or projects more often concerned with security issues) set up there own security@project.. mailing list. I don't see examples directly of projects using the private mailing list for this purpose, but I read: "It is expected that a subset of project PMC members and committers will be subscribed to the project specific security mailing list. " and "If reported to secur...@apache.org, the security team will forward the report (without acknowledging it) to the project's security list or, of the project does not have a security list, to the project's private (PMC) mailing list." My opinion: In the short term you don't need a project-specific security mailing list. Users are for all ASF projectsby default directed to report security issues here: secur...@apache.org . You just need to document this on your website somewhere. If you start to see many issues being reported this way the project can decide that it's better to have a small group of volunteers to handle these reports. Have a look at this project list to see how other ASF projects are informing their users. I like the Apache Ant example for its simplicity, but it has all the needed information: http://www.apache.org/security/projects.html regards, Lieven Best regards, > Marco > > > > Lieven Govaerts <l...@apache.org> schrieb am Sa., 5. Okt. 2019, 09:44: > > > Hi, > > > > On Sat, 5 Oct 2019 at 01:46, Sheng Zha <zhash...@apache.org> wrote: > > > > > Hi, > > > > > > It's time to revisit the Apache maturity model for MXNet and see where > we > > > are with respect to graduation. Qing and I updated the maturity model > in > > > the wiki [1]. Comments are welcome. > > > > > > > > for "QU30: The project provides a well-documented channel to report > > security issues, along with a documented way of responding to them.", you > > point to this page: > > https://mxnet.incubator.apache.org/api/faq/security. However, > > that page doesn't contain any information on how to contact the project > to > > report a security issue privately. > > > > Is there a secur...@mxnet.incubator.apache.org mailing list? > > I don't see any information on the Contribution page that explains how > > security issues should be reported differently from a normal issue, so > for > > me this is an open TODO. > > > > What does "Apache-2.0 (partial)" mean for dmlc-core? The github project > > indicates it's ASLv2 licensed, so what it 'partial' about it? > > > > regards, > > > > Lieven > > > > > > > > > -sz > > > > > > [1] https://cwiki.apache.org/confluence/x/lQqQBQ > > > > > >
