Just a quick update here - it sounds like the project may opt to allow committers (non-PMC members) to join the security list. Discussion here: https://lists.apache.org/thread/k9rt56y3j4vd2gczbn257qf4x272vz1o
I expect the same logic would apply to this WG. Mike On Tue, May 2, 2023 at 7:40 PM Gus Heck <gus.h...@gmail.com> wrote: > @Kevin, Cool, I think with 4-5 people volunteering this is a go, and > perhaps the working group can do a quick kick off (30 min) online call > somewhere around the 15th? > > @Marcus Please don't hesitate to suggest improvements (or implement them!) > Also feel 100% free to suggest improvements to my list of goals or > brainstorm ideas to flesh them out. Happy to have community involvement at > all levels. The core idea of the working group is to get a few people > invested in this particular aspect of solr and improve the timeliness and > quality of our responses to reports. The more help we get the better. One > of the best possible results would be if this got people thinking and we > got more participation out of it. > > -Gus > > On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <marcusea...@gmail.com> wrote: > > > Also happy to contribute from the outside, or one foot in rather :-) > > > > Security is my motivation for most of the work that I have done in the > > project to date. > > > > > > On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kris...@apache.org> wrote: > > > > > I'm happy to contribute. > > > > > > Kevin Risden > > > > > > > > > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro < > > > aarri...@perrinsoftware.com> wrote: > > > > > > > Hi Gus, > > > > > > > > thx 4 clarification. > > > > Well I need to work on those 2 requirements then :-) > > > > > > > > Thanks > > > > Alejandro Arrieta > > > > > > > > > > > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gus.h...@gmail.com> wrote: > > > > > > > > > Unfortunately, since part of the duties will be responding to the > > > queries > > > > > sent to secur...@solr.apache.org, one must be both a committer > and a > > > PMC > > > > > member. However, I expect that this group will make suggestions > about > > > > > anything unrelated to un-announced security issues to the wider > list > > > for > > > > a > > > > > typical discussion/proposal/vote cycle. > > > > > > > > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro < > > > > > aarri...@perrinsoftware.com> wrote: > > > > > > > > > > > Hello Team, > > > > > > > > > > > > Do you need to be a committer to join the group? > > > > > > > > > > > > Kind Regards, > > > > > > Alejandro Arrieta > > > > > > > > > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gus.h...@gmail.com> > > wrote: > > > > > > > > > > > > > Cool that means so far we have: > > > > > > > > > > > > > > 1. Me (Gus Heck) > > > > > > > 2. Jason Gerlowski > > > > > > > 3. Mike Drob > > > > > > > 4. (maybe?) David Smiley > > > > > > > > > > > > > > > > > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> > > wrote: > > > > > > > > > > > > > > > Howdy folks. I'd be happy to step into this working group. > > > > > > > > > > > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gus.h...@gmail.com > > > > > > wrote: > > > > > > > > > > > > > > > > > Awesome, glad to have you Jason, I in the end feel the same > > way > > > > > about > > > > > > > my > > > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly > with > > > "who > > > > > > > thought > > > > > > > > > about it some and has ideas" added. If we get more than 5 > > > > > volunteers > > > > > > we > > > > > > > > can > > > > > > > > > start comparing credentials. > > > > > > > > > > > > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski < > > > > > > gerlowsk...@gmail.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Hi Gus, > > > > > > > > > > > > > > > > > > > > I think this is a great idea. > > > > > > > > > > > > > > > > > > > > I don't have much security background that'd make me a > > > > > particularly > > > > > > > > > > good fit, but absent someone with that background > stepping > > > up, > > > > > I'm > > > > > > > > > > willing to volunteer for one of the spots. (I'd be more > > than > > > > > happy > > > > > > > to > > > > > > > > > > bow out if better qualified folks come along.) > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > Jason > > > > > > > > > > > > > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley < > > > > dsmi...@apache.org > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > Pretty sleepy thread so far; apparently nobody else is > > > > > interested > > > > > > > in > > > > > > > > > > > talking about Solr security -- LOL ;-) > > > > > > > > > > > > > > > > > > > > > > ~ David Smiley > > > > > > > > > > > Apache Lucene/Solr Search Developer > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck < > > > gus.h...@gmail.com > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > Thanks David. It would be great to have you if you > can > > > find > > > > > > time > > > > > > > > for > > > > > > > > > > it. As > > > > > > > > > > > > far as time commitment goes, I think it should become > > > > minimal > > > > > > > > after a > > > > > > > > > > while > > > > > > > > > > > > unless we have a flood of security reports to respond > > to. > > > > > For a > > > > > > > > > little > > > > > > > > > > > > while after initial organization, I think the members > > > will > > > > > want > > > > > > > to > > > > > > > > > put > > > > > > > > > > a > > > > > > > > > > > > bit of effort into hitting some of the goals I > > mentioned. > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley < > > > > > > > dsmi...@apache.org> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > This is a thoughtful organization attempt and > > needed, I > > > > > > think. > > > > > > > > > > Thanks > > > > > > > > > > > > Gus! > > > > > > > > > > > > > > > > > > > > > > > > > > I want to see if I could get a security > > > > specialist/engineer > > > > > > > > where I > > > > > > > > > > work > > > > > > > > > > > > to > > > > > > > > > > > > > help us with this. I'm tempted to say I'm joining > > this > > > > > thing > > > > > > > but > > > > > > > > > I'm > > > > > > > > > > > > weary > > > > > > > > > > > > > of dedicating time per week. > > > > > > > > > > > > > > > > > > > > > > > > > > ~ David Smiley > > > > > > > > > > > > > Apache Lucene/Solr Search Developer > > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck < > > > > > gus.h...@gmail.com > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > *Rationale* > > > > > > > > > > > > > > > > > > > > > > > > > > > > Over the course of the last decade the way > software > > > > > > security > > > > > > > is > > > > > > > > > > viewed > > > > > > > > > > > > > has > > > > > > > > > > > > > > changed. Solr has changed significantly over this > > > time > > > > > too > > > > > > > and > > > > > > > > we > > > > > > > > > > have > > > > > > > > > > > > > > gained some important security features and > fixed a > > > > > variety > > > > > > > of > > > > > > > > > > > > > > vulnerabilities. However, I think as a project we > > > have > > > > > not > > > > > > > > really > > > > > > > > > > > > > developed > > > > > > > > > > > > > > a clear vision of what our security goals and use > > > cases > > > > > > are. > > > > > > > I > > > > > > > > > have > > > > > > > > > > > > > > witnessed a fair bit of variability in the > > responses > > > to > > > > > > > > security > > > > > > > > > > > > related > > > > > > > > > > > > > > queries, and I think much of the variability > comes > > > from > > > > > > > > > conflation > > > > > > > > > > > > among > > > > > > > > > > > > > > "good practical advice", "somewhat dated advice" > > and > > > > > > "varying > > > > > > > > > > notions > > > > > > > > > > > > of > > > > > > > > > > > > > > supported use cases". We also regularly receive > > > reports > > > > > to > > > > > > > the > > > > > > > > > > > > > > secur...@solr.apache.org address that involve > > > > > > investigations > > > > > > > > > into > > > > > > > > > > > > > systems > > > > > > > > > > > > > > that are not properly secured to begin with or > > > > configured > > > > > > to > > > > > > > > > > explicitly > > > > > > > > > > > > > > allow the dangerous behavior and it's a shame to > > see > > > > > > security > > > > > > > > > > > > researchers > > > > > > > > > > > > > > waste their time on that. Finally, the PMC and > set > > of > > > > > > people > > > > > > > > > > subscribed > > > > > > > > > > > > > to > > > > > > > > > > > > > > secur...@solr.apache.org is a large enough group > > > that > > > > > > > incoming > > > > > > > > > > mails > > > > > > > > > > > > > often > > > > > > > > > > > > > > seem to languish in a classic example of nobody > > > having > > > > > > actual > > > > > > > > > > specific > > > > > > > > > > > > > > responsibility for responding. > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Proposal* > > > > > > > > > > > > > > The Solr PMC should appoint from among its > members > > > > > either 3 > > > > > > > to > > > > > > > > 5 > > > > > > > > > > > > > > individuals to serve as a "security working > group" > > > > > > Membership > > > > > > > > in > > > > > > > > > > the > > > > > > > > > > > > > > "Security Working Group" requires subscribing to > > > > > > > > > > > > > secur...@solr.apache.org, > > > > > > > > > > > > > > and a 30 minute conference call once or twice a > > > month. > > > > > This > > > > > > > > > working > > > > > > > > > > > > group > > > > > > > > > > > > > > would have the following goals. > > > > > > > > > > > > > > > > > > > > > > > > > > > > 1. Establish a relationship with someone who's > > > core > > > > > job > > > > > > > > > > function is > > > > > > > > > > > > > > computer security, rather than providing > search > > > (I'm > > > > > > > hoping > > > > > > > > > the > > > > > > > > > > ASF > > > > > > > > > > > > > has > > > > > > > > > > > > > > some people who secure their systems that > could > > > be a > > > > > > > > > resource). > > > > > > > > > > This > > > > > > > > > > > > > > person > > > > > > > > > > > > > > should be willing to offer a systems security > > > > > > perspective > > > > > > > on > > > > > > > > > our > > > > > > > > > > > > goals > > > > > > > > > > > > > > and > > > > > > > > > > > > > > the security functionality we provide. > > > > > > > > > > > > > > 2. Develop a clear statement of the security > use > > > > cases > > > > > > we > > > > > > > > > would > > > > > > > > > > like > > > > > > > > > > > > > to > > > > > > > > > > > > > > support, and exposition of some scenarios that > > are > > > > > > clearly > > > > > > > > out > > > > > > > > > > of > > > > > > > > > > > > > scope. > > > > > > > > > > > > > > This results in a proposal to be discussed on > > the > > > > dev > > > > > > list > > > > > > > > and > > > > > > > > > > users > > > > > > > > > > > > > > list > > > > > > > > > > > > > > and eventually voted on. > > > > > > > > > > > > > > 3. Identification of use cases we would like > to > > > > > support > > > > > > > that > > > > > > > > > > are not > > > > > > > > > > > > > yet > > > > > > > > > > > > > > supported, and publicize them to encourage > these > > > > > > > > > contributions. > > > > > > > > > > > > > > 4. Review of documentation to ensure > consistency > > > > with > > > > > > our > > > > > > > > > > current > > > > > > > > > > > > > state > > > > > > > > > > > > > > (security only, perhaps annually?). > > > > > > > > > > > > > > 5. Creation of a "security report checklist" > > that > > > > > > security > > > > > > > > > > > > researchers > > > > > > > > > > > > > > can self apply before they submit reports. > > > > > > > > > > > > > > 6. Form letters for consistent response to > > reports > > > > > that > > > > > > > > > haven't > > > > > > > > > > > > passed > > > > > > > > > > > > > > the checklist. > > > > > > > > > > > > > > 7. Provide consistent and prompt responses to > > > > possible > > > > > > > > > > > > > > vulnerabilities reported to > secur...@apache.org > > . > > > > > Those > > > > > > > > > > subscribed > > > > > > > > > > > > to > > > > > > > > > > > > > > secur...@solr.apache.org who are not in the > > > working > > > > > > group > > > > > > > > > > should > > > > > > > > > > > > > allow > > > > > > > > > > > > > > the working group time to respond before > > > responding > > > > > > > > > themselves. > > > > > > > > > > > > > > 8. When asked, offer opinions on proposed new > > > > > security > > > > > > > > > features > > > > > > > > > > > > > > regarding consistency with the goals (working > > > group > > > > to > > > > > > > > > discuss, > > > > > > > > > > > > return > > > > > > > > > > > > > > with > > > > > > > > > > > > > > an opinion, always publically and just as a > > voice > > > in > > > > > the > > > > > > > > > > > > conversation, > > > > > > > > > > > > > > not > > > > > > > > > > > > > > as any sort of veto/control, decisions are > still > > > up > > > > to > > > > > > the > > > > > > > > > list > > > > > > > > > > of > > > > > > > > > > > > > > course). > > > > > > > > > > > > > > > > > > > > > > > > > > > > NON-GOAL: The group is not responsible for fixing > > > > > security > > > > > > > bugs > > > > > > > > > or > > > > > > > > > > > > adding > > > > > > > > > > > > > > security features. (nothing stopping them of > > course, > > > > just > > > > > > not > > > > > > > > the > > > > > > > > > > point > > > > > > > > > > > > > of > > > > > > > > > > > > > > the group, which is a goal setting and > consistency > > > > > oriented > > > > > > > > > group) > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Volunteer* > > > > > > > > > > > > > > > > > > > > > > > > > > > > And to lower the barrier to things started, I > > > volunteer > > > > > to > > > > > > > > > > participate > > > > > > > > > > > > in > > > > > > > > > > > > > > this WG for at least a year, and spend up to > > 2h/week > > > on > > > > > > it. I > > > > > > > > > don't > > > > > > > > > > > > think > > > > > > > > > > > > > > any members should be expected to dedicate more > > than > > > > that > > > > > > to > > > > > > > > it, > > > > > > > > > > and > > > > > > > > > > > > > > probably many weeks the time required should be > > less. > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Feedback* > > > > > > > > > > > > > > > > > > > > > > > > > > > > Of course if you think this idea can be tweaked > or > > > > > > improved, > > > > > > > > > speak > > > > > > > > > > up! > > > > > > > > > > > > > The > > > > > > > > > > > > > > whole reason this is mailed to the dev list is to > > get > > > > > broad > > > > > > > > > > feedback so > > > > > > > > > > > > > > that we can implement the best improvements > > possible. > > > > > > > > > > > > > > > > > > > > > > > > > > > > -Gus > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > http://www.needhamsoftware.com (work) > > > > > > > > > > > > http://www.the111shift.com (play) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > > > > > > > > > > For additional commands, e-mail: > dev-h...@solr.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > http://www.needhamsoftware.com (work) > > > > > > > > > http://www.the111shift.com (play) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > http://www.needhamsoftware.com (work) > > > > > > > http://www.the111shift.com (play) > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > http://www.needhamsoftware.com (work) > > > > > http://www.the111shift.com (play) > > > > > > > > > > > > > > > > > > -- > > Marcus Eagan > > > > > -- > http://www.needhamsoftware.com (work) > http://www.the111shift.com (play) >
