Enrico, That sounds great. We'll get the repo activated. Tom
On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli <eolive...@gmail.com> wrote: > Tom > Overall I think that we can move forward. > > This thread has been around for a while, there are no objections, every > question has been answered. > > Thank you very much > > I hope this activity will help in growing Zookeeper project both in code > quality and with more contributions, that is to help the community to grow. > > Best regards > > Enrico > > Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev> ha scritto: > > > Norbert, > > > > Yes, you understand that correctly. And those analyzers are FindSecBugs, > > Error Prone and Infer. All open source and in moderate to wide use > > already. Only find sec bugs is security specific - Infer and Error Prone > > might find security bugs but they are more general purpose in nature. > > > > -Tom > > > > On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar > > <nkal...@cloudera.com.invalid> > > wrote: > > > > > Hello Tom, > > > > > > +1 on the initiative, thanks for bringing this to our attention. > > > > > > If I understand correctly, there will be no disclosed security issues > > which > > > cannot be found with open source static analyzers. > > > > > > Regards, > > > Norbert > > > > > > > > > On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> > > > wrote: > > > > > > > Hello Guys, > > > > > > > > In general I like the idea, but unfortunately I can not really > > > participate > > > > (either in the coding or in the review) as I have a few important > > > projects > > > > close to deadline at the moment. > > > > > > > > My only concern is with the security bugs, which I don't like to be > > > openly > > > > reported before publishing a release with the fix. But for any other > > kind > > > > of bugfixes / improvements, I am very positive with the initiative. > > > > > > > > > > > > Best regards, > > > > Mate > > > > > > > > On Sun, Sep 27, 2020, 07:06 Tom DuBuisson <to...@muse.dev> wrote: > > > > > > > > > Enrico et al, > > > > > > > > > > Are there other thoughts on this? It would be great to get setup > > > before > > > > > the bash actually begins. Enrico, lacking other voices would you > > like > > > to > > > > > make a final call? > > > > > > > > > > -Tom > > > > > > > > > > On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli < > eolive...@gmail.com > > > > > > > > wrote: > > > > > > > > > > > Tom, > > > > > > Personally I am +1 with this proposal. Thanks for your > > > clarifications. > > > > > > > > > > > > But we should ear opinions from other people in this list > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > Il giorno mer 23 set 2020 alle ore 23:51 Tom DuBuisson < > > > to...@muse.dev > > > > > > > > > > ha > > > > > > scritto: > > > > > > > > > > > > > Enrico, > > > > > > > > > > > > > > On the topic security issues and reporting: Muse's default > > > > > configuration > > > > > > > is open source tools and here it is run on open source > projects. > > > The > > > > > > > results are thus already available publicly (in this case from > > FSB, > > > > > > Infer, > > > > > > > and Error Prone). Muse doesn't post anything to GitHub except > in > > > the > > > > > > case > > > > > > > of pull requests and then only if the bug is deemed to have > been > > > > > > > "introduced" as part of the PR - meaning it shouldn't be a > > > > > vulnerability > > > > > > in > > > > > > > currently shipped software. > > > > > > > > > > > > > > If there are desires or proposals about more control over bug > > > reports > > > > > in > > > > > > a > > > > > > > convenient, configurable, manner then we'd really like to dig > in > > > and > > > > > hear > > > > > > > how to help. In case there is more discussion on this point > I'm > > > > CCing > > > > > > > Andrew who leads Muse's product design. > > > > > > > > > > > > > > -Tom > > > > > > > > > > > > > > On Wed, Sep 23, 2020 at 1:09 PM Enrico Olivelli < > > > eolive...@gmail.com > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > Il Mer 23 Set 2020, 19:02 Tom DuBuisson <to...@muse.dev> ha > > > > scritto: > > > > > > > > > > > > > > > > > Enrico, > > > > > > > > > > > > > > > > > > The Muse App requires two main abilities. First is events, > > > such > > > > as > > > > > > > > > notification when pull requests are opened or updated. > > Second > > > is > > > > > > > > > permission to post comments (which is always possible for > > > humans > > > > > but > > > > > > > more > > > > > > > > > tightly controlled when the poster authenticates as a > github > > > > > > > > application). > > > > > > > > > The repository being public has allowed us to run the app > and > > > > > observe > > > > > > > > > ErrorProne, Infer, and FindSecBugs all run out of the box > and > > > > > without > > > > > > > > > custom configuration. > > > > > > > > > > > > > > > > > > > > > > > > > Makes sense. > > > > > > > > > > > > > > > > One last question from my side > > > > > > > > What about security issues? > > > > > > > > Our policy is to have them reported to > > > > secur...@zookeeper.apache.org > > > > > > > > before > > > > > > > > public disclosure > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > Tom > > > > > > > > > > > > > > > > > > On Wed, Sep 23, 2020 at 6:35 AM Enrico Olivelli < > > > > > eolive...@gmail.com > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Il Mer 23 Set 2020, 00:44 Tom DuBuisson <to...@muse.dev> > > ha > > > > > > scritto: > > > > > > > > > > > > > > > > > > > > > Zookeeper Developers, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > As part of our sponsorship of ApacheCon, our company > > > MuseDev > > > > is > > > > > > > > doing a > > > > > > > > > > Bug > > > > > > > > > > > Bash for select Apache projects. We'll bring members of > > the > > > > > > > ApacheCon > > > > > > > > > > > community together to find and fix a range of security > > and > > > > > > > > performance > > > > > > > > > > bugs > > > > > > > > > > > during the conference, and gameify the experience with > > > > teams, a > > > > > > > > > > > leaderboard, and prizes. The bash is open to everyone > > > whether > > > > > > > > attending > > > > > > > > > > the > > > > > > > > > > > conference or not, and our whole dev team will also be > > > > > > > participating > > > > > > > > to > > > > > > > > > > > help fix as many bugs as we can. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We're seeding the bug list with results from Muse, our > > code > > > > > > > analysis > > > > > > > > > > > platform, which runs as a Github App and comments on > > > possible > > > > > > bugs > > > > > > > as > > > > > > > > > > part > > > > > > > > > > > of the pull request workflow. Here's an example of > what > > it > > > > > looks > > > > > > > > like: > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/curl/curl/pull/5971#discussion_r490252196 > > > > > > > > > > > <https://github.com/curl/curl/pull/5971> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We explored a number of Apache projects and are > reaching > > > out > > > > > > > because > > > > > > > > > our > > > > > > > > > > > analysis through Muse found some interesting bugs that > > > could > > > > be > > > > > > > fixed > > > > > > > > > > > during the Bash. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We're writing to see if you'd be interested in having > > your > > > > > > project > > > > > > > > > > included > > > > > > > > > > > in the Bash. Everything is set up on our end, and if > > you're > > > > > > > > interested, > > > > > > > > > > we > > > > > > > > > > > would need you to say yes on this listserv, and we’ll > > work > > > > with > > > > > > the > > > > > > > > > > Apache > > > > > > > > > > > Infrastructure team to grant Muse access to your Github > > > > mirror. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It is a public repo, which kind of access does it need? > > > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We'll then > > > > > > > > > > > make sure it's all set-up and ready for the Bash. And > of > > > > > course, > > > > > > > > > everyone > > > > > > > > > > > on the project is most welcome to join the Bash and > help > > us > > > > > smash > > > > > > > > some > > > > > > > > > > > bugs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -Tom > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
