Re: [RESULT][VOTE] CVE creation process

2022-01-09 Thread Volkan Yazıcı 
Here it is: https://github.com/apache/logging-log4j2/pull/690

Mind somebody reviewing and merging it, please?

On Fri, Jan 7, 2022 at 1:35 PM Gary Gregory  wrote:

> Hi all,
>
> Where can we record this decision? In a text file in the repo? Wiki? Both?
>
> Gary
>
> On Fri, Jan 7, 2022, 05:22 Volkan Yazıcı  wrote:
>
> > Hello,
> >
> > This is the result of the vote introducing the process that enforces
> > CVE submissions[1] and their content to be first subject to voting by
> > means of "lazy approval"[2] using the (private)
> > `secur...@logging.apache.org` mailing list:
> >
> > 6x +1 (accepting the process), all binding
> > 2x +0 (abstaining)
> >
> > Details:
> >
> > +1 (accepting the process):
> > Ralph Goers (binding)
> > Gary Gregory (binding)
> > Christian Grobmeier (binding)
> > Carter Kozak (binding)
> > Matt Sicker (binding)
> > Volkan Yazıcı (binding)
> >
> > +0:
> > Xeno Amess (non binding)
> > Dominik Psenner (binding)
> >
> > The PMC decided unanimously to introduce the aforementioned CVE
> > creation process.
> >
> > Kind regards,
> > Volkan
> >
> > [1] Note that this process only involves the creation of CVEs and
> > doesn't interfere with any form of fixes or releases.
> > [2] An action with lazy approval is implicitly allowed unless a -1
> > vote is received, at which time, depending on the type of action,
> > either lazy majority or lazy consensus approval must be obtained. For
> > details see https://logging.apache.org/guidelines.html
> >
>

Re: [RESULT][VOTE] CVE creation process

2022-01-07 Thread Gary Gregory 
Hi all,

Where can we record this decision? In a text file in the repo? Wiki? Both?

Gary

On Fri, Jan 7, 2022, 05:22 Volkan Yazıcı  wrote:

> Hello,
>
> This is the result of the vote introducing the process that enforces
> CVE submissions[1] and their content to be first subject to voting by
> means of "lazy approval"[2] using the (private)
> `secur...@logging.apache.org` mailing list:
>
> 6x +1 (accepting the process), all binding
> 2x +0 (abstaining)
>
> Details:
>
> +1 (accepting the process):
> Ralph Goers (binding)
> Gary Gregory (binding)
> Christian Grobmeier (binding)
> Carter Kozak (binding)
> Matt Sicker (binding)
> Volkan Yazıcı (binding)
>
> +0:
> Xeno Amess (non binding)
> Dominik Psenner (binding)
>
> The PMC decided unanimously to introduce the aforementioned CVE
> creation process.
>
> Kind regards,
> Volkan
>
> [1] Note that this process only involves the creation of CVEs and
> doesn't interfere with any form of fixes or releases.
> [2] An action with lazy approval is implicitly allowed unless a -1
> vote is received, at which time, depending on the type of action,
> either lazy majority or lazy consensus approval must be obtained. For
> details see https://logging.apache.org/guidelines.html
>

[RESULT][VOTE] CVE creation process

2022-01-07 Thread Volkan Yazıcı 
Hello,

This is the result of the vote introducing the process that enforces
CVE submissions[1] and their content to be first subject to voting by
means of "lazy approval"[2] using the (private)
`secur...@logging.apache.org` mailing list:

6x +1 (accepting the process), all binding
2x +0 (abstaining)

Details:

+1 (accepting the process):
Ralph Goers (binding)
Gary Gregory (binding)
Christian Grobmeier (binding)
Carter Kozak (binding)
Matt Sicker (binding)
Volkan Yazıcı (binding)

+0:
Xeno Amess (non binding)
Dominik Psenner (binding)

The PMC decided unanimously to introduce the aforementioned CVE
creation process.

Kind regards,
Volkan

[1] Note that this process only involves the creation of CVEs and
doesn't interfere with any form of fixes or releases.
[2] An action with lazy approval is implicitly allowed unless a -1
vote is received, at which time, depending on the type of action,
either lazy majority or lazy consensus approval must be obtained. For
details see https://logging.apache.org/guidelines.html

Re: [VOTE] CVE creation process

2022-01-07 Thread Volkan Yazıcı 
+1 (with lazy approval)

On Mon, Jan 3, 2022 at 12:59 PM Volkan Yazıcı  wrote:

> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
>
> [] +1, accept the process
> [] -1, object to the process because...
>
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
>
> Kind regards.
>
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>

Re: [VOTE] CVE creation process

2022-01-03 Thread Matt Sicker 
+1 for going with lazy approval CVE process.
--
Matt Sicker

> On Jan 3, 2022, at 05:59, Volkan Yazıcı  wrote:
> 
> Hello,
> 
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
> 
> [] +1, accept the process
> [] -1, object to the process because...
> 
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
> 
> Kind regards.
> 
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl

Re: [VOTE] CVE creation process

2022-01-03 Thread Christian Grobmeier 
+1, as this only affects the creation of cves but does not block the fixing 
going on immediately.
I think we do not require majority though, just waiting if someone objects is 
fine for me

On Mon, Jan 3, 2022, at 12:59, Volkan Yazıcı wrote:
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
>
> [] +1, accept the process
> [] -1, object to the process because...
>
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
>
> Kind regards.
>
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl

Re: [DISCUSS][VOTE] CVE creation process

2022-01-03 Thread Matt Sicker 
Lazy approval is the technical term for the voting style you’re describing. 
Lazy consensus is how committers and PMC members are voted on. Snippet:

* Lazy consensus requires 3 binding +1 votes and no binding vetoes.
* A lazy majority vote requires 3 binding +1 votes and more binding +1 votes 
that -1 votes.
* An action with lazy approval is implicitly allowed unless a -1 vote is 
received, at which time, depending on the type of action, either lazy majority 
or lazy consensus approval must be obtained.

Taken from https://logging.apache.org/guidelines.html 
 which would be great to modify to 
add this type of vote to, but it says modifying the doc requires 2/3 majority 
of the PMC to approve.
--
Matt Sicker

> On Jan 3, 2022, at 09:49, Ralph Goers  wrote:
> 
> I would have recommended doing this vote by lazy consensus - i.e. you only 
> need to vote if you object, since we have previously discussed this and no 
> one seemed to object.
> 
> Ralph
> 
>> On Jan 3, 2022, at 4:59 AM, Volkan Yazıcı  wrote:
>> 
>> Hello,
>> 
>> As discussed earlier[1], this is a vote to introduce the process that
>> enforces CVE submissions and their content should be first subject to
>> voting using the (private) `secur...@logging.apache.org` mailing list.
>> 
>> [] +1, accept the process
>> [] -1, object to the process because...
>> 
>> The vote will remain open for 72 hours (or more if required). All
>> votes are welcome and we encourage everyone to participate, but only
>> Logging PMC votes are “officially” counted. As always, at least 3 +1
>> votes and more positive than negative votes are required.
>> 
>> Kind regards.
>> 
>> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>> 
>

Re: [VOTE] CVE creation process

2022-01-03 Thread Dominik Psenner 
+-0

I have no strong opinion. I do believe that an informal consensus about our
best practice should be all we need. It should suffice when two pmc members
acknowledge both fix and official communication. My perception is that we
already do our best. Beyond that, it will always be a walk on the edge to
satisfy all and any potential criteria (response time, quality of the fix,
quality of the communication, quality of the mitigation procedures, ..). We
may have to accept that these criteria will never be exactly the same and
have the same weight for all security issues.

--
Sent from my phone. Typos are a kind gift to anyone who happens to find
them.

On Mon, Jan 3, 2022, 16:54 Jason Pyeron  wrote:

> > -Original Message-
> > From: Xeno Amess
> > Sent: Monday, January 3, 2022 10:40 AM
> >
> > +0
> >
> > I just worried several things.
> >
> > 1. Will it make the cve's fix come out more slowly?
> > A vote means waiting for 72 hours usually.
> >
> > 2. Do all PMC who enter the vote always have enough ability and knowledge
> > for notifying how severe a vulnerability? Some vulnerabilities are, seems
> > small problem, nothing at all, but would actually do very much damage.
>
>
> 1. see: https://www.apache.org/foundation/voting.html
>
> 2. it does not have to be 72 hours.
>
> 3. Use CONSENSUS THROUGH SILENCE.
>
> e.g.
>
> Subject: Vote on apply CVE of 8.3 (v3 score) to release x.y.z [18 hours,
> silence=approve]
>
> SUMMARY... blah blah blah
>
> [] +1, Create CVE and accept tag release
> [] -1, DO NOT create CVE and address release at another time / vote
>
> The vote will remain open for 18 hours (short security timeline). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
>
> LACK OF NEGATIVE VOTES will be assume as a consensus.
>
> -Jason
>
>

[DISCUSS][VOTE] CVE creation process

2022-01-03 Thread Ralph Goers 
While you may think they are just investigating the vulnerability there 
really is a lot more that goes on behind the scenes. I know the second or third 
CVE we 
addressed took several days for me to be able to confirm it was actually a 
vulnerability. I was quite surprised that the DNS system doesn’t follow the 
spec 
and reject invalid DNS names on some systems. I couldn’t understand how 
anything 
bad could happen with a URL with invalid characters in the host name field. We 
actually had a few reports on the issue from different sources. One
reporter actually then did quite a bit of research to find out which systems 
rejected the attach and which allowed it.

So I would give the team as much time as they need to respond.

Ralph

> On Jan 3, 2022, at 8:46 AM, Xeno Amess  wrote:
> 
> It is already slow enough...
> 
> I submitted a vulnerability which I think at least can be 7 points, to an
> apache project (not this one) the day before yesterday.
> 
> And they have not finished the investigation yet...two days already...
> 
> And considering this is in vocation, it is normal to assume the actions
> will be slower when it is in work-days.
> 
> I know nearly everybody here is a volunteer, myself also be.
> 
> I'm not complaining what, but I just wanna say, things in apache are
> already slow, maybe too slow for solving some emergency vulnerability.
> 
> And now we would add another 72-hour voting procedure...
> 
> Xeno Amess  于2022年1月3日周一 23:39写道:
> 
>> +0
>> 
>> I just worried several things.
>> 
>> 1. Will it make the cve's fix come out more slowly?
>> A vote means waiting for 72 hours usually.
>> 
>> 2. Do all PMC who enter the vote always have enough ability and knowledge
>> for notifying how severe a vulnerability? Some vulnerabilities are, seems
>> small problem, nothing at all, but would actually do very much damage.
>> 
>> 
>> Carter Kozak  于2022年1月3日周一 22:53写道:
>> 
>>> +1
>>> 
>>> -ck
>>> 
 On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı  wrote:
 
 Hello,
 
 As discussed earlier[1], this is a vote to introduce the process that
 enforces CVE submissions and their content should be first subject to
 voting using the (private) `secur...@logging.apache.org` mailing list.
 
 [] +1, accept the process
 [] -1, object to the process because...
 
 The vote will remain open for 72 hours (or more if required). All
 votes are welcome and we encourage everyone to participate, but only
 Logging PMC votes are “officially” counted. As always, at least 3 +1
 votes and more positive than negative votes are required.
 
 Kind regards.
 
 [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>>> 
>>>

RE: [VOTE] CVE creation process

2022-01-03 Thread Jason Pyeron 
> -Original Message-
> From: Xeno Amess
> Sent: Monday, January 3, 2022 10:40 AM
> 
> +0
> 
> I just worried several things.
> 
> 1. Will it make the cve's fix come out more slowly?
> A vote means waiting for 72 hours usually.
> 
> 2. Do all PMC who enter the vote always have enough ability and knowledge
> for notifying how severe a vulnerability? Some vulnerabilities are, seems
> small problem, nothing at all, but would actually do very much damage.


1. see: https://www.apache.org/foundation/voting.html

2. it does not have to be 72 hours.

3. Use CONSENSUS THROUGH SILENCE.

e.g. 

Subject: Vote on apply CVE of 8.3 (v3 score) to release x.y.z [18 hours, 
silence=approve]

SUMMARY... blah blah blah

[] +1, Create CVE and accept tag release
[] -1, DO NOT create CVE and address release at another time / vote

The vote will remain open for 18 hours (short security timeline). All
votes are welcome and we encourage everyone to participate, but only
Logging PMC votes are “officially” counted. As always, at least 3 +1
votes and more positive than negative votes are required.

LACK OF NEGATIVE VOTES will be assume as a consensus.

-Jason

[DISCUSS\[VOTE] CVE creation process

2022-01-03 Thread Ralph Goers 
These are two really good questions!

The 72 hours is recommended due to people being spread around the world and 
people being unavailable due to pressing $dayjob or family items, weekends, 
etc. 
But in an emergency the voting period can be compressed. This PMC has done a 
remarkably good job of completing several release votes in a short period of 
time 
over the last few weeks.

The PMC has several forms of communication we take advantage of. Although not 
all PMC members are familiar with the code in each project we all are pretty 
good 
at grasping the concepts at a detailed enough level to participate in the 
conversation 
and form an opinion.

Ralph

> On Jan 3, 2022, at 8:39 AM, Xeno Amess  wrote:
> 
> +0
> 
> I just worried several things.
> 
> 1. Will it make the cve's fix come out more slowly?
> A vote means waiting for 72 hours usually.
> 
> 2. Do all PMC who enter the vote always have enough ability and knowledge
> for notifying how severe a vulnerability? Some vulnerabilities are, seems
> small problem, nothing at all, but would actually do very much damage.
> 
> 
> Carter Kozak  于2022年1月3日周一 22:53写道:
> 
>> +1
>> 
>> -ck
>> 
>>> On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı  wrote:
>>> 
>>> Hello,
>>> 
>>> As discussed earlier[1], this is a vote to introduce the process that
>>> enforces CVE submissions and their content should be first subject to
>>> voting using the (private) `secur...@logging.apache.org` mailing list.
>>> 
>>> [] +1, accept the process
>>> [] -1, object to the process because...
>>> 
>>> The vote will remain open for 72 hours (or more if required). All
>>> votes are welcome and we encourage everyone to participate, but only
>>> Logging PMC votes are “officially” counted. As always, at least 3 +1
>>> votes and more positive than negative votes are required.
>>> 
>>> Kind regards.
>>> 
>>> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>> 
>>

[DISCUSS][VOTE] CVE creation process

2022-01-03 Thread Ralph Goers 
I would have recommended doing this vote by lazy consensus - i.e. you only 
need to vote if you object, since we have previously discussed this and no 
one seemed to object.

Ralph

> On Jan 3, 2022, at 4:59 AM, Volkan Yazıcı  wrote:
> 
> Hello,
> 
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
> 
> [] +1, accept the process
> [] -1, object to the process because...
> 
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
> 
> Kind regards.
> 
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>

Re: [VOTE] CVE creation process

2022-01-03 Thread Xeno Amess 
It is already slow enough...

I submitted a vulnerability which I think at least can be 7 points, to an
apache project (not this one) the day before yesterday.

And they have not finished the investigation yet...two days already...

And considering this is in vocation, it is normal to assume the actions
will be slower when it is in work-days.

I know nearly everybody here is a volunteer, myself also be.

I'm not complaining what, but I just wanna say, things in apache are
already slow, maybe too slow for solving some emergency vulnerability.

And now we would add another 72-hour voting procedure...

Xeno Amess  于2022年1月3日周一 23:39写道:

> +0
>
> I just worried several things.
>
> 1. Will it make the cve's fix come out more slowly?
> A vote means waiting for 72 hours usually.
>
> 2. Do all PMC who enter the vote always have enough ability and knowledge
> for notifying how severe a vulnerability? Some vulnerabilities are, seems
> small problem, nothing at all, but would actually do very much damage.
>
>
> Carter Kozak  于2022年1月3日周一 22:53写道:
>
>> +1
>>
>> -ck
>>
>> > On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı  wrote:
>> >
>> > Hello,
>> >
>> > As discussed earlier[1], this is a vote to introduce the process that
>> > enforces CVE submissions and their content should be first subject to
>> > voting using the (private) `secur...@logging.apache.org` mailing list.
>> >
>> > [] +1, accept the process
>> > [] -1, object to the process because...
>> >
>> > The vote will remain open for 72 hours (or more if required). All
>> > votes are welcome and we encourage everyone to participate, but only
>> > Logging PMC votes are “officially” counted. As always, at least 3 +1
>> > votes and more positive than negative votes are required.
>> >
>> > Kind regards.
>> >
>> > [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>>
>>

Re: [VOTE] CVE creation process

2022-01-03 Thread Ralph Goers 
+1

Ralph

> On Jan 3, 2022, at 4:59 AM, Volkan Yazıcı  wrote:
> 
> Hello,
> 
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
> 
> [] +1, accept the process
> [] -1, object to the process because...
> 
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
> 
> Kind regards.
> 
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>

Re: [VOTE] CVE creation process

2022-01-03 Thread Xeno Amess 
+0

I just worried several things.

1. Will it make the cve's fix come out more slowly?
A vote means waiting for 72 hours usually.

2. Do all PMC who enter the vote always have enough ability and knowledge
for notifying how severe a vulnerability? Some vulnerabilities are, seems
small problem, nothing at all, but would actually do very much damage.


Carter Kozak  于2022年1月3日周一 22:53写道:

> +1
>
> -ck
>
> > On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı  wrote:
> >
> > Hello,
> >
> > As discussed earlier[1], this is a vote to introduce the process that
> > enforces CVE submissions and their content should be first subject to
> > voting using the (private) `secur...@logging.apache.org` mailing list.
> >
> > [] +1, accept the process
> > [] -1, object to the process because...
> >
> > The vote will remain open for 72 hours (or more if required). All
> > votes are welcome and we encourage everyone to participate, but only
> > Logging PMC votes are “officially” counted. As always, at least 3 +1
> > votes and more positive than negative votes are required.
> >
> > Kind regards.
> >
> > [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>
>

Re: [VOTE] CVE creation process

2022-01-03 Thread Carter Kozak 
+1

-ck

> On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı  wrote:
> 
> Hello,
> 
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
> 
> [] +1, accept the process
> [] -1, object to the process because...
> 
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
> 
> Kind regards.
> 
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl

Re: [VOTE] CVE creation process

2022-01-03 Thread Gary Gregory 
[X] +1, accept the process

Gary

On Mon, Jan 3, 2022 at 6:59 AM Volkan Yazıcı  wrote:

> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
>
> [] +1, accept the process
> [] -1, object to the process because...
>
> The vote will remain open for 72 hours (or more if required). All
> votes are welcome and we encourage everyone to participate, but only
> Logging PMC votes are “officially” counted. As always, at least 3 +1
> votes and more positive than negative votes are required.
>
> Kind regards.
>
> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>

[VOTE] CVE creation process

2022-01-03 Thread Volkan Yazıcı 
Hello,

As discussed earlier[1], this is a vote to introduce the process that
enforces CVE submissions and their content should be first subject to
voting using the (private) `secur...@logging.apache.org` mailing list.

[] +1, accept the process
[] -1, object to the process because...

The vote will remain open for 72 hours (or more if required). All
votes are welcome and we encourage everyone to participate, but only
Logging PMC votes are “officially” counted. As always, at least 3 +1
votes and more positive than negative votes are required.

Kind regards.

[1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl