List etiquette on job postings (Was: Job Posting: ...)
Hi, On Fri, Sep 17, 2010 at 7:05 PM, David Matheson dmathe...@splitrock.us wrote: I would appreciate any inquiries from individuals who would be interested in exploring further this job opportunity. I believe the general policy among many (most?) Apache projects is to discourage such job postings unless explicitly allowed in a per-list etiquette document. If you're unsure about the policy of a particular list, it's best to ask before posting a job offer. I'm not sure if the j...@apache.org list still exists (couldn't find a mention of it on www.apache.org). If it does, it's a place where all Apache-related job postings are explicitly welcomed. That said, if people are interested in this particular offer, please contact David directly instead of through this list. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Project dashboard at eclipse.org
Hi, I just found the Eclipse project dashboard at http://dash.eclipse.org/. They've got pretty nice reports, especially the project activity and diversity charts: http://dash.eclipse.org/dash/commits/web-app/active-projects.cgi http://dash.eclipse.org/dash/commits/web-app/project-diversity.cgi Anyone interested in doing something similar for http://projects.apache.org/? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] NoSQL meetup in Oakland
Hi, On Thu, Oct 15, 2009 at 11:17 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: http://www.nosqloakland.org/ If you're interested in attending and perhaps presenting something at the meetup, please sign up! Given the large number of registrations so far I've decided to split the meetup into two parallel tracks. Would someone be interested in chairing the other track? I can't be in two places at the same time. :-) You'd need to start the other track with a few words of introduction and welcome, introduce and help the speakers, and make sure that they stick to the schedule. PS. I've had people ask for the ability to tune in remotely to the meetup. I can try setting up a Skype video call for that, but I'd love to hear if someone has better ideas on how to achieve this. I'm quite envious of all the good things I hear about the video recordings at NoSQL Berlin... :-) BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] NoSQL meetup in Oakland
Hi, On Wed, Oct 28, 2009 at 12:10 PM, Geir Magnusson Jr. g...@pobox.com wrote: I volunteer to chair if you need it. That would be great, thanks! I'll send you more details in private. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: ApacheCon at ASIA
Hi, On Wed, Oct 21, 2009 at 12:30 PM, Tetsuya Kitahata tets...@apache.org wrote: I am now thiking of the ApacheCon Asia Plan in Indonesia, near Jakarta. (Bali) --- Maybe Hong Kong, Tokyo, Seoul, Shanghai, Taipei . Considering the history of ASF, maybe Bali would be the nice place (DIfferrent island but we can go Jakarta!!). WDYT ALL The concom is currently planning an Apache road show in Beijing and Colombo for Nov/Dec this year. I'm not sure how widely this event has yet been publicised, at least [1] or [2] don't yet mention it. [1] http://www.apache.org/foundation/conferences.html [2] http://us.apachecon.com/c/ BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: charity
Hi Tetsuya, Your last message came as three copies to community@ and you've been sending the same message to various other addresses too. A single message to a single list would be enough, more will just annoy people and may eventually get you kicked from the list. The PRC is tasked with the ASF sponsorship and fundraising activities, so you'll want to discuss the charity program you propose with p...@apache.org instead of various other mailing lists. Please do not post links to any payment forms or similar pages before you've reached an appropriate agreement with the PRC. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] NoSQL meetup in Oakland
Hi, On Wed, Oct 14, 2009 at 11:10 AM, Noirin Shirley noi...@apache.org wrote: On Wed, Oct 14, 2009 at 12:51 AM, Brian McCallister bri...@skife.org wrote: Do we have any more time/date thoughts on this? I know Mr. Dynomite and would love to invite him over. According to http://wiki.apache.org/apachecon/ApacheMeetupsUs09 this is booked for Monday evening, November 2nd. Correct. Since our MoinMoin wiki is still causing some trouble, I created a standalone web site to better advertise the meetup and to start accepting sign ups: http://www.nosqloakland.org/ If you're interested in attending and perhaps presenting something at the meetup, please sign up! BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [OpenPGP] Moving Away From DSA and SHA-1
Hi, On Tue, Aug 11, 2009 at 4:09 PM, Rich Bowenrbo...@rcbowen.com wrote: Is it possible to regenerate my gpg key without losing all the signatures on my existing key? To bootstrap the new key, you could sign it with your old key. Not sure if that should be enough for others to trust that it came from you even without a F2F keysigning party. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [RESULT] [VOTE] Change community@ list settings
Hi, On Tue, Jul 28, 2009 at 12:26 PM, Jukka Zittingjukka.zitt...@gmail.com wrote: There seems to be lazy consensus from PRC (judged by who responded on prc@), but I'll confirm that before getting the list settings changed. If PRC doesn't want to do this, then I'll ask infra or as a last resort turn to the board. This list is now open to everyone with Infra as the overseeing body. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [RESULT] [VOTE] Change community@ list settings
Hi, [responding a bit late as I'm currently on vacation and mostly offline] On Sun, Jul 26, 2009 at 8:41 PM, Noel J. Bergmann...@devtech.com wrote: -1 from me for the simple reason that you failed (as far as I can tell) to get the PRC to approve your volunteering of that committee for the new oversight arrangement. There seems to be lazy consensus from PRC (judged by who responded on prc@), but I'll confirm that before getting the list settings changed. If PRC doesn't want to do this, then I'll ask infra or as a last resort turn to the board. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[RESULT] [VOTE] Change community@ list settings
Hi, On Tue, Jul 7, 2009 at 11:28 PM, Jukka Zittingjukka.zitt...@gmail.com wrote: So, please vote on changing the settings of this list so that everyone is free to subscribe or post to this list (only posts from non-subscribers are moderated, see [5] for details). This majority vote is open for the next seven days. We have 16 +1s: +1 Bertrand Delacretaz +1 Craig L Russell +1 Davanum Srinivas +1 Jean T. Anderson +1 Jean-Frederic Clere +1 John H. Embretsen +1 Jukka Zitting +1 Mario Ivankovits +1 Mat Hogstrom +1 Matthias Wessendorf +1 Niclas Gustavsson +1 Niclas Hedhman +1 Peter Royal +1 Robert Burrell Donkin +1 Santiago Gala +1 Thomas Vandahl And one -1: -1 Justin Erenkrantz Justin had a valid point about this list having no active oversight by a PMC or another committee. Based on the vote result I will ask the PRC to take up oversight of this list. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[apachecon] NoSQL meetup in Oakland
Hi, I was thinking of potential cross-project meetup plans for the Content Technology track at the ApacheCon US 2009, and one idea I came up with is to organize a generic NoSQL gathering of non-relational database projects. We already have CouchDB, Jackrabbit, Hadoop and Lucene (and Cassandra?) people around, and it would be cool to invite also people and projects outside the ASF. WDYT? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [VOTE] Change community@ list settings
Hi, On Wed, Jul 8, 2009 at 9:28 AM, Justin Erenkrantzjus...@erenkrantz.com wrote: The ASF does not have public lists that are not backed by either a PMC or a committee. As long as the subscription and posting was restricted to committers, then the list did not require active oversight. Yet, once a list becomes open for all to join and post, then it requires active oversight in the form of a backing PMC or committee. OK. Assuming this vote passes, I'll ask either Infra or PRC to take up oversight of this list. I'll also volunteer to act as the eyes and ears of that committee on this list if needed. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [VOTE] Change community@ list settings
Hi, On Wed, Jul 8, 2009 at 5:57 PM, Craig L Russellcraig.russ...@sun.com wrote: What's your plan to avoid spam? Same as what we use on all our public project mailing lists: Posts from non-subscribers still need to pass moderation. I volunteer as a moderator. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[VOTE] Change community@ list settings
Hi, This mailing list is currently publicly archived, but only open for Apache committers to subscribe and post to. This list policy was set by a vote [1] in 2002. I would like to change this list to be open to everyone just like all our public project mailing lists. Why? Three reasons: a) the extra moderation settings make it hard for people to post here [2,3], b) external mail archives can't easily get updates of recent posts [4], and c) I see no reason to restrict the Apache community to include just the committers. This list is today very different from what it was in 2002. So, please vote on changing the settings of this list so that everyone is free to subscribe or post to this list (only posts from non-subscribers are moderated, see [5] for details). This majority vote is open for the next seven days. [ ] +1 Change list settings (allow anyone to subscribe or post) [ ] -1 Keep the current settings My vote is +1. [1] http://mail-archives.apache.org/mod_mbox/www-community/200211.mbox/3dc3a725.50...@apache.org [2] http://mail-archives.apache.org/mod_mbox/www-community/200905.mbox/510143ac0905260745y75f5a2f3h33c305c0dcff9...@mail.gmail.com [3] http://mail-archives.apache.org/mod_mbox/www-community/200907.mbox/510143ac0907030544n49a3c50ctb937b2ccee4a7...@mail.gmail.com [4] http://apache.markmail.org/search/?q=list:org.apache.community [5] https://issues.apache.org/jira/browse/INFRA-2127 BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
No-commitment support options for Apache projects
Hi, Subscribing another mailing list just to ask a simple question is a pretty big step for many people, so I'm interested in how (or if) different Apache projects are serving such users who don't want to commit to a steady stream of incoming email. Some projects have IRC channels and Twitter accounts for such purposes, others point to the web-to-list gateway at Nabble, and some use the issue tracker also for end user questions. And even though Apache has traditionally preferred mailing lists over web forums, some projects have loosely related support forums hosted elsewhere. How do these things work in practice? What would you recommend for a project that's looking for such tools for interacting with new or occasional users who don't want to join the mailing lists? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Running for the ASF board
Hi, The ASF members are getting ready to elect the next board of the foundation, and I am one of the candidates running in the election. Since the board makes decisions that affect also the larger Apache community I wanted to publish my position statement also with all of you on commun...@. Feel free to ask questions (publicly or in private) if something's not covered below or not clear enough. This is a release early version. :-) I've been an Apache committer for a bit over four years now. During that time I've made about 3k commits, submitted nearly 4k issue comments, and sent more than 4k emails to 59 public Apache mailing lists. In other words, this is an environment where I thrive. I want to help make sure that others can have as much fun here as I'm having. The good people at root@ know me from the frequent account requests I keep sending their way, and one of my main motivations for leading the Git effort has been to empower people who've not yet earned traditional committership. If elected, I hope to continue this work on a higher level by helping guide the foundation so that it remains open to new people and ideas and becomes an even better place for us all to work in. I don't yet have much financial, legal or management experience, but I'm hoping to learn from more experienced fellow board and foundation members as needed. I see the Incubator not only as a way for us to teach the Apache Way to new projects, but also as a way for us to constantly challenge our practices and to learn as an organization. Sometimes this can be painful (remember the Maven repository vote on gene...@incubator), but such debates and the possible related changes to status quo will ultimately make us stronger. As an active developer and PMC chair I often interact with many of the foundation-wide committees, but so far I haven't been too interested in actually joining them. I'm no legal eagle or marketing wizard, and my inputs to concom and infra are fairly limited in scope. I expect this situation to continue if I get elected to the board. My main questions to these committees would be how their work benefits our projects and contributors, and what foundation resources they need to do that work. The tough part that falls on the board is then to decide how to distribute limited resources like our money and the staff it pays for. The current board has done a great job in coming up with a real budget for the foundation, though I am concerned about the heavy increase in expenses. We are introducing a lot of new costs and the next board will need to carefully review the results and adjust the next budget accordingly. In the worst case we may even need to adjust things mid-term if the projected income turns out to be too optimistic. There's been some recent debate about the role of marketing and PR for the ASF. I've seen how our paid professional help has benefited the PRC and the projects that have asked for help with their PR activities. So in general I think it's a good idea to spend a part of our income to this. However, the level and focusing of this resourcing has so far not been very well justified or at least understood, so I would ask the PRC to better outline what they are doing and how those efforts benefit the foundation and our projects. One final note: As a relative newcomer I still cringe whenever I encounter another private or closed mailing list at Apache. Our projects live and breathe openness and transparency, but the foundation-wide work is still mostly done behind closed doors. In some cases there are good reasons for privacy, but I reject it as a general rule. I won't be calling for any unilateral changes in list policy, but I will be asking for the various committees to justify their use of private forums. On a similar note, I am sending this position statement also to the community@ list as I see no need for or point in not sharing my opinions with the larger Apache community. Affiliations: I'm about to marry a girl who thinks that my opinions in many Apache debates are totally wrong. ;-) Oh, and I work as a developer for Day Software in Switzerland, where I currently live as an expat. PS. I am not particularly interested in taking on any additional officer hats beyond my current VP, Jackrabbit one. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] Meet the developers corner
Hi, On Mon, May 25, 2009 at 6:27 PM, Henri Yandell hyand...@gmail.com wrote: what I'd really like to drum up the energy to do is a Come develop with the developers corner. In so much as I spend a decent amount of every ApacheCon now working on a Commons release and being able to pull people in and distribute out some JIRA issues would be kinda cool. Sounds good, though I want to avoid the impression of the Meet the developers corner just containing a group of people with their backs turned and eyes staring at their laptop screens (which is what much of the hackathon area typically looks like to an outsider). Perhaps we could use this corner as a place for people to gather based on pre-announced time and topic, and they can then find a table where they can start hacking. We can put up a wiki page for that and ask interested people to sign up with proposed topics and times. I'd also make the Meet the developers corner a hotspot for information on all such unofficial conference program, so that people could drop by there and get the latest update on what's going on. We could also hook this up with the @apachecon twitter account for sending out updates and messages like User looking for project X developers, reply when you can drop by. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: [apachecon] Meet the developers corner
Hi, [Niclas had trouble sending this to the list. So here's a copy. --Jukka] Date: Tue, 26 May 2009 21:59:11 +0800 From: Niclas Hedhman nic...@apache.org To: community@apache.org Subject: Re: [apachecon] Meet the developers corner On Tue, May 26, 2009 at 9:45 PM, Jukka Zitting jukka.zitt...@gmail.com wrote: Sounds good, though I want to avoid the impression of the Meet the developers corner just containing a group of people with their backs turned and eyes staring at their laptop screens (which is what much of the hackathon area typically looks like to an outsider). I think PMC Members in general should wear Please, Ask me about X!! (X being their project) written on their backs. I think that helps the Hackathon area a lot. If that is too hard to arrange, simple stand Please, Ask us about X!! on each table is also a fairly open invitation. I remember AC2008, it took me a while to locate people I was looking for, and such sign would have made it a lot easier. Perhaps we could use this corner as a place for people to gather based on pre-announced time and topic, and they can then find a table where they can start hacking. We can put up a wiki page for that and ask interested people to sign up with proposed topics and times. Yes, that sounds like reasonable as well. Each developer should know when they are available, so if the time schedule is flexible at beginning of AC, then the volunteers sets the time when they are available, and 'audience' need to adopt (have to do that anyway). I'd also make the Meet the developers corner a hotspot for information on all such unofficial conference program, so that people could drop by there and get the latest update on what's going on. We could also hook this up with the @apachecon twitter account for sending out updates and messages like User looking for project X developers, reply when you can drop by. :-) How can I possibly survive without Twitter? Cheers -- Niclas Hedhman, Software Developer http://www.qi4j.org - New Energy for Java I live here; http://tinyurl.com/2qq9er I work here; http://tinyurl.com/2ymelc I relax here; http://tinyurl.com/2cgsug - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[apachecon] Enterprise track?
Hi, [hoping (in vain?) that this list will reach all interested people] There are a number of enterprise projects like Tuscany, Synapse, Web Services, Geronimo and Directory that are planning their own tracks for the upcoming ApacheCon US 2009. Would it be a good idea to combine such efforts into a single larger Enterprise track like what we're now doing with all the web/content projects? Many potential attendees will be interested in more than just a single project, and a shared track would also be easier to market. I unfortunately won't have time to help coordinate such a track, so for now I'm just throwing it out as an idea. Perhaps someone is interested? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
[apachecon] Meet the developers corner
Hi, Here's an idea I came up with for the proposed Content/Web Technology track in ApacheCon US 2009: We'd reserve and mark a table or a corner of the Hackathon area as the Meet the developers corner where conference attendees could come and meet the speakers and other project committers in a semi-organized manner. The corner would have a wiki page where people from various projects can sign up so everyone will know when they'll be there and what projects they know about. This should make it easier for users and other interested people to connect with the developers. The corner could also be used as a place for ad-hoc demos, hands-on tutorials, etc. and I'd like to ask the speakers of this track to drop by the corner for 10-15 minutes after their presentation for any followup questions and discussions for which there wasn't enough time earlier. If people like this idea, we could even expand it to cover the entire conference instead of just a single track. WDYT? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Theme-based tracks at ACUS
Hi, The upcoming ApacheCon US is looking for projects to self-organize parts of the conference. There are may projects that may have a too narrow scope or target audience to justify a full track, but perhaps we could find ways to coordinate cross-project cooperation for this. For example, I would personally be interested in seeing coordinated tracks on themes like these: * (Web) content management (Wicket, Velocity, Lenya, Sling, etc.) * Databases and storage (Derby, CouchDB, Jackrabbit, HBase, OpenJPA, etc.) * XML technology (Xerces, Cocoon, XML Graphics, etc.) * Build tools (Maven, Ant, Ivy, Continuum, Gump, etc.) The boundaries of such themes are obviously quite fuzzy and some projects above may well already be planning their own track. Instead of tightly scoping things I'm rather looking for potential synergies between projects that we could leverage for the ApacheCon. Also, it would be interesting to hear what tracks are already being planned. Perhaps there would be room for smaller related projects to join such efforts. For example, I know that there are initial plans at least for a search technology (centered on Lucene) track and an interoperability track. What else? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Topic-based mailing lists
Hi, On Sun, Mar 29, 2009 at 11:55 PM, Paul Querna p...@querna.org wrote: I think it would end up with most threads CC;ing the relevant dev lists (cross posting ftw), as not everyone in the communities will sign up to such lists. That might happen, though currently it's already happening as list bingo over multiple dev@ lists. With a shared list there would at least be an authoritative place where people could be pointed for the main line of the discussion. As a concrete example, I recently started an effort to collect general purpose XML utility code into a small reusable library. The related discussion happened over d...@commons, d...@cocoon, j-...@xerces, tika-...@lucene, fop-...@xmlgraphics and commons-...@xml, with no clear consensus of where it really should belong. Have there been projects who are consistently cross posting each other for a shared topic of interest? Currently this doesn't happen too much as the resulting threads quickly get really confusing as people don't keep cc'ing all the lists. I tried to do this every now and then, but nowadays I mostly use occasions like the ApacheCon where it's easier to bring related people together. Without shared forums most shared initiatives between projects rely on having individual bridge developers who are actively participating in all the related projects. That works to some degree (the value of the bridge people is usually quickly recognized by making them ASF members :-), but unfortunately such individuals aren't too common and their time isn't always available. I'm looking for ways to lower the bar for projects to cooperate. (if so, maybe they should look more deeply at who is in their community, maybe they should just be one TLP?) That works for some cases, for example the gene...@lucene list serves such a purpose for Lucene projects. But in many cases the related projects are not as closely related. For example, the currently incubating Sling project is related to projects like Jackrabbit, Felix and CouchDB through technologies like JCR, OSGi and JSON. None of these relationships really warrant a shared TLP, but all of them are still strong enough to offer some interesting avenues for cooperation. Each of the above-mentioned technologies are also areas where we'd easily have at least a handful of Apache projects that could benefit from a shared forum that's not weighed down by the everyday issues of any specific project. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Topic-based mailing lists
Hi, On Mon, Mar 30, 2009 at 2:25 AM, Daniel F. Savarese d...@savarese.org wrote: To support both inter-project cooperation and more general cross-project committer software development discussions, I would recommend starting with a single general software development discussion list for committers. At the ApacheCon we discussed using this currently rather quiet community@ list for such a purpose, but there were fears that too big an audience would just reduce the signal/noise ratio of the list for everyone. But yeah, if people here won't complain about seeing more high-level technical discussions about specific technologies, then I wouldn't mind following your idea of branching off common topics to separate lists only when the related traffic becomes too big for a generic list like this. BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Topic-based mailing lists
Hi, At the ApacheCon we discussed about introducing some generic topic-based mailing lists at Apache. Currently inter-project cooperation is a bit difficult as joining another dev@ or user@ mailing list can be a pretty overwhelming experience due to the heavy volume of project-specific discussion. To avoid this problem we could introduce some generic mailing lists that cover technologies or other topics that are of interest to multiple Apache projects. Such lists could be osgi-interest@, http-interest@, xml-interest@, rest-interest@, jcr-interest@, build-interest@, etc. Whatever topic where two more projects have a shared interest and believe that they could benefit from a low volume forum where they could coordinate their efforts and exchange experience and code. WDYT? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Apache best practices BOF
Hi, There are a lot of different practices among Apache projects on topics like release and branch management, community involvement, issue tracking, licensing, security, continuous integration, code reviews, etc. I'd like to hear more about how other projects handle things like these, and share the experience I have gathered over the past few years. To do that I have proposed an Apache best practices BOF session at the ApacheCon. If you're interested, bump the counter at http://wiki.apache.org/apachecon/BirdsOfaFeatherEu09 BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Handling security vulnerabilities at Apache
Hi, In the past few days I've been trying to gather information on how Apache projects are handling security vulnerabilities. The Security Committee has created a nice summary at http://www.apache.org/security/, but unfortunately there doesn't seem to be a good forum for discussing the details. I'm hoping to use community@ for this purpose. One especially interesting topic is how an open source project that normally should conduct it's affairs in public should handle security vulnerabilities. Responsible disclosure means that a vulnerability should be kept private until the project has had a chance to develop and release a fix for that issue. How should this be handled at Apache? The process at .../security/ answers parts of that question, but I find some steps like the suggestion to obscure the commit that fixes a vulnerability a bit awkward. One idea I came up with is to have a read-protected area in svn where (only?) security fixes can be developed and prepared for release. A PMC could work in such an area in private until it has voted (again in private) to release the fix. At that point the security branch would be moved to the normal project area where the all changes become public and can be merged back to the project trunk. Is such a setup worth the effort? A related point is the delay that our mirror infrastructure puts on the release process. A security release that gets set up for mirroring is already publicly available even though it can't under current policies be announced until 24 hours later. Would it be acceptable to avoid this delay by pointing people directly to www.apache.org/dist when releasing security fixes? BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
Re: Handling security vulnerabilities at Apache
Hi, On Tue, Jan 13, 2009 at 6:02 PM, William A. Rowe, Jr. wr...@rowe-clan.net wrote: We pass around patches at secur...@httpd until they are right. Less efficient than SVN, perhaps. More than the actual fixing of the vulnerability, I'm interested in the process of releasing the fix. Creating a release without version control is something I'd rather avoid. Current Apache practices mandate at least four days of delay between a release candidate becoming available and the official release announcement being made. I believe the current best practice either assumes that nobody is looking close enough for the vulnerabilities or that the window of a few days is not long enough to cause much trouble. I guess that's OK. However, if that's the case, should I worry about setting up read access controls in Jira? I mean, if I'm going to commit the fix to public svn, then I might as well track the issue in a public issue tracker. The issue could be created only when a patch or a workaround has been developed in private. We are eliminating private areas from /repos/asf/ due to the desire to mirror and otherwise duplicate the repository as a whole. Which leaves your project's existing private area already at /repos/private/pmc/TLP --- but of course you don't gain the ability to fork because they aren't rooted from the same repository. Perhaps I should use git to manage security fixes. /me ducks ;-) BR, Jukka Zitting - To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org