Hi, I have created a PR to add the instructions: https://github.com/apache/incubator-mxnet/pull/16383
-Marco On Sun, Oct 6, 2019 at 12:07 PM Marco de Abreu <marco.g.ab...@gmail.com> wrote: > Excellent, thanks a ton! > > -Marco > > Lieven Govaerts <l...@apache.org> schrieb am So., 6. Okt. 2019, 02:35: > >> Hi Marco, >> >> On Sun, 6 Oct 2019 at 00:09, Marco de Abreu <marco.g.ab...@gmail.com> >> wrote: >> >> > Hi, >> > >> > These are very good points! I also noticed the security incident >> reporting >> > when I reviewed it and I agree that it's something we have to work out. >> > >> > I will work on something tomorrow and provide a draft for the community >> to >> > review. Do you think it's really necessary to have a separate email >> alias >> > or is it sufficient to use private@? >> > >> > >> There is actually a lot of good information related to security issues for >> ASF projects here: >> http://www.apache.org/security/ >> >> This page suggests a typical procedure on how to handle security issues: >> https://www.apache.org/security/committers.html >> >> >> What I read in these pages, is that smaller projects tend to delegate >> security issue reporting to the ASF-wide security mailing list, whereas >> larger projects (or projects more often concerned with security issues) >> set >> up there own security@project.. mailing list. >> >> I don't see examples directly of projects using the private mailing list >> for this purpose, but I read: >> "It is expected that a subset of project PMC members and committers will >> be subscribed to the project specific security mailing list. " >> and >> "If reported to secur...@apache.org, the security team will forward the >> report (without acknowledging it) to the project's security list or, of >> the >> project does not have a security list, to the project's private (PMC) >> mailing list." >> >> >> My opinion: >> In the short term you don't need a project-specific security mailing list. >> Users are for all ASF projectsby default directed to report security >> issues >> here: secur...@apache.org . >> You just need to document this on your website somewhere. >> >> If you start to see many issues being reported this way the project can >> decide that it's better to have a small group of volunteers to handle >> these >> reports. >> >> Have a look at this project list to see how other ASF projects are >> informing their users. I like the Apache Ant example for its simplicity, >> but it has all the needed information: >> http://www.apache.org/security/projects.html >> regards, >> >> Lieven >> >> Best regards, >> > Marco >> > >> > >> > >> > Lieven Govaerts <l...@apache.org> schrieb am Sa., 5. Okt. 2019, 09:44: >> > >> > > Hi, >> > > >> > > On Sat, 5 Oct 2019 at 01:46, Sheng Zha <zhash...@apache.org> wrote: >> > > >> > > > Hi, >> > > > >> > > > It's time to revisit the Apache maturity model for MXNet and see >> where >> > we >> > > > are with respect to graduation. Qing and I updated the maturity >> model >> > in >> > > > the wiki [1]. Comments are welcome. >> > > > >> > > > >> > > for "QU30: The project provides a well-documented channel to report >> > > security issues, along with a documented way of responding to them.", >> you >> > > point to this page: >> > > https://mxnet.incubator.apache.org/api/faq/security. However, >> > > that page doesn't contain any information on how to contact the >> project >> > to >> > > report a security issue privately. >> > > >> > > Is there a secur...@mxnet.incubator.apache.org mailing list? >> > > I don't see any information on the Contribution page that explains how >> > > security issues should be reported differently from a normal issue, so >> > for >> > > me this is an open TODO. >> > > >> > > What does "Apache-2.0 (partial)" mean for dmlc-core? The github >> project >> > > indicates it's ASLv2 licensed, so what it 'partial' about it? >> > > >> > > regards, >> > > >> > > Lieven >> > > >> > > >> > > >> > > > -sz >> > > > >> > > > [1] https://cwiki.apache.org/confluence/x/lQqQBQ >> > > > >> > > >> > >> >
