Excellent, thanks a ton! -Marco
Lieven Govaerts <l...@apache.org> schrieb am So., 6. Okt. 2019, 02:35: > Hi Marco, > > On Sun, 6 Oct 2019 at 00:09, Marco de Abreu <marco.g.ab...@gmail.com> > wrote: > > > Hi, > > > > These are very good points! I also noticed the security incident > reporting > > when I reviewed it and I agree that it's something we have to work out. > > > > I will work on something tomorrow and provide a draft for the community > to > > review. Do you think it's really necessary to have a separate email alias > > or is it sufficient to use private@? > > > > > There is actually a lot of good information related to security issues for > ASF projects here: > http://www.apache.org/security/ > > This page suggests a typical procedure on how to handle security issues: > https://www.apache.org/security/committers.html > > > What I read in these pages, is that smaller projects tend to delegate > security issue reporting to the ASF-wide security mailing list, whereas > larger projects (or projects more often concerned with security issues) set > up there own security@project.. mailing list. > > I don't see examples directly of projects using the private mailing list > for this purpose, but I read: > "It is expected that a subset of project PMC members and committers will > be subscribed to the project specific security mailing list. " > and > "If reported to secur...@apache.org, the security team will forward the > report (without acknowledging it) to the project's security list or, of the > project does not have a security list, to the project's private (PMC) > mailing list." > > > My opinion: > In the short term you don't need a project-specific security mailing list. > Users are for all ASF projectsby default directed to report security issues > here: secur...@apache.org . > You just need to document this on your website somewhere. > > If you start to see many issues being reported this way the project can > decide that it's better to have a small group of volunteers to handle these > reports. > > Have a look at this project list to see how other ASF projects are > informing their users. I like the Apache Ant example for its simplicity, > but it has all the needed information: > http://www.apache.org/security/projects.html > regards, > > Lieven > > Best regards, > > Marco > > > > > > > > Lieven Govaerts <l...@apache.org> schrieb am Sa., 5. Okt. 2019, 09:44: > > > > > Hi, > > > > > > On Sat, 5 Oct 2019 at 01:46, Sheng Zha <zhash...@apache.org> wrote: > > > > > > > Hi, > > > > > > > > It's time to revisit the Apache maturity model for MXNet and see > where > > we > > > > are with respect to graduation. Qing and I updated the maturity model > > in > > > > the wiki [1]. Comments are welcome. > > > > > > > > > > > for "QU30: The project provides a well-documented channel to report > > > security issues, along with a documented way of responding to them.", > you > > > point to this page: > > > https://mxnet.incubator.apache.org/api/faq/security. However, > > > that page doesn't contain any information on how to contact the project > > to > > > report a security issue privately. > > > > > > Is there a secur...@mxnet.incubator.apache.org mailing list? > > > I don't see any information on the Contribution page that explains how > > > security issues should be reported differently from a normal issue, so > > for > > > me this is an open TODO. > > > > > > What does "Apache-2.0 (partial)" mean for dmlc-core? The github project > > > indicates it's ASLv2 licensed, so what it 'partial' about it? > > > > > > regards, > > > > > > Lieven > > > > > > > > > > > > > -sz > > > > > > > > [1] https://cwiki.apache.org/confluence/x/lQqQBQ > > > > > > > > > >
