Re: [all] OSS Fuzz

2021-04-17 Thread Matt Sicker
Can we make a Google group or shared Google account for the commons PMC? On Sat, Apr 17, 2021 at 17:43 sebb wrote: > On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim > wrote: > > > > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig > wrote: > > > > > > I'm not sure I understand this. AFAIU I

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread Ralph Goers
> On Apr 17, 2021, at 3:32 PM, sebb wrote: > > On Sat, 17 Apr 2021 at 22:57, Ralph Goers > wrote: >> >> >> When I release Log4j I rum mvn site followed by "mvn site:stage >> -DstagingDirectory=$HOME/log4j” on my laptop. I validate the site locally >> and

Re: [all] OSS Fuzz

2021-04-17 Thread sebb
On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim wrote: > > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote: > > > > I'm not sure I understand this. AFAIU I could never become a "primary" > > or an "auto_cc" as I will not create a Google account. Do we need to > > have one? In that case

Re: [all] OSS Fuzz

2021-04-17 Thread sebb
On Sat, 17 Apr 2021 at 17:33, Gary Gregory wrote: > > I'll go with the consensus here but I feel that the security list should be > for humans and posts there deserve human attention on an ASAP basis. I've > just seen too many false positives and noise from automated tools over the > years.

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread sebb
On Sat, 17 Apr 2021 at 22:57, Ralph Goers wrote: > > You should see my other message but I will reply to your questions also. > > > On Apr 16, 2021, at 1:37 PM, Gilles Sadowski wrote: > > > > Hello. > > > > Le ven. 16 avr. 2021 à 20:39, Ralph Goers a > > écrit : > >> > >> FYI - I did the work

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread Ralph Goers
One other think I should add. Although Infra’s pages mention tools that you can use those are just suggestions. As long as you use the .asf.yaml files and place the files in the correct locations in the repos you can use any tooling you want to create the sites. I used JBake because I felt it

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread Ralph Goers
You should see my other message but I will reply to your questions also. > On Apr 16, 2021, at 1:37 PM, Gilles Sadowski wrote: > > Hello. > > Le ven. 16 avr. 2021 à 20:39, Ralph Goers a > écrit : >> >> FYI - I did the work of moving Logging Services site from the CMS to git. It >> really

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread Ralph Goers
Yes, I see there are pieces of missing information. When I was doing the work I referred to a couple of Infra web pages to figure out how things worked. The links are below. In particular, see "Specifying a sub-directory to publish to” in the second link. The .asf.yaml file is the key. The

Re: [all] OSS Fuzz

2021-04-17 Thread Fabian Meumertzheim
On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote: > > I'm not sure I understand this. AFAIU I could never become a "primary" > or an "auto_cc" as I will not create a Google account. Do we need to > have one? In that case somebody who doesn't share my personal set of > allergic reactions may

Re: [all] OSS Fuzz

2021-04-17 Thread Gary Gregory
I'll go with the consensus here but I feel that the security list should be for humans and posts there deserve human attention on an ASAP basis. I've just seen too many false positives and noise from automated tools over the years. Gary On Sat, Apr 17, 2021, 09:48 Stefan Bodewig wrote: > On

Re: [all] OSS Fuzz

2021-04-17 Thread Matt Sicker
I have a Google account I can be CC’d on. I do security engineering professionally, so I have some experience in the area as well. On Sat, Apr 17, 2021 at 08:58 Stefan Bodewig wrote: > On 2021-04-15, Fabian Meumertzheim wrote: > > > Just to keep the following in mind: Full access to bug reports

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-15, Fabian Meumertzheim wrote: > Just to keep the following in mind: Full access to bug reports and > reproducers requires a Google account (which can be associated with > any existing non-list email address). At least the moderators of the > list would therefore have to be listed

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-13, Gary Gregory wrote: > Please don't use @security for automated emails, that ML IMO should be for > humans. > If you want to setup a new ML for bots that's fine, we can direct GitHub's > Dependanot emails there if GitHub allows for that. I don't believe dependabot and the results

Re: Redesign of Commons website generation (was: CMS Deprecated. Removal of configs and move to new publishing area)

2021-04-17 Thread sebb
On Fri, 16 Apr 2021 at 19:39, Ralph Goers wrote: > > FYI - I did the work of moving Logging Services site from the CMS to git. It > really wasn’t that hard. The main web site is at > https://github.com/apache/logging-site > . Each of the subproject has

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-13, Mark Thomas wrote: > On 13/04/2021 17:49, Stefan Bodewig wrote: > >> Fabian has offered to set up OSS Fuzz for Compress. Given that the >> issues OSS Fuzz detects may or may not be security sensitive, I don't >> feel it would be a good idea to have the tool send reports to a