Yes, I'd agree, if the person can be on the related mailing list, they can
be in the working group.

On Fri, May 12, 2023 at 1:50 PM Mike Drob <md...@mdrob.com> wrote:

> Just a quick update here - it sounds like the project may opt to allow
> committers (non-PMC members) to join the security list. Discussion here:
> https://lists.apache.org/thread/k9rt56y3j4vd2gczbn257qf4x272vz1o
>
> I expect the same logic would apply to this WG.
>
> Mike
>
> On Tue, May 2, 2023 at 7:40 PM Gus Heck <gus.h...@gmail.com> wrote:
>
> > @Kevin, Cool, I think with 4-5 people volunteering this is a go, and
> > perhaps the working group can do a quick kick off (30 min) online call
> > somewhere around the 15th?
> >
> > @Marcus Please don't hesitate to suggest improvements (or implement
> them!)
> > Also feel 100% free to suggest improvements to my list of goals or
> > brainstorm ideas to flesh them out. Happy to have community involvement
> at
> > all levels. The core idea of the working group is to get a few people
> > invested in this particular aspect of solr and improve the timeliness and
> > quality of our responses to reports. The more help we get the better. One
> > of the best possible results would be if this got people thinking and we
> > got more participation out of it.
> >
> > -Gus
> >
> > On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <marcusea...@gmail.com>
> wrote:
> >
> > > Also happy to contribute from the outside, or one foot in rather :-)
> > >
> > > Security is my motivation for most of the work that I have done in the
> > > project to date.
> > >
> > >
> > > On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kris...@apache.org>
> wrote:
> > >
> > > > I'm happy to contribute.
> > > >
> > > > Kevin Risden
> > > >
> > > >
> > > > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> > > > aarri...@perrinsoftware.com> wrote:
> > > >
> > > > > Hi Gus,
> > > > >
> > > > > thx 4 clarification.
> > > > > Well I need to work on those 2 requirements then :-)
> > > > >
> > > > > Thanks
> > > > > Alejandro Arrieta
> > > > >
> > > > >
> > > > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gus.h...@gmail.com>
> wrote:
> > > > >
> > > > > > Unfortunately, since part of the duties will be responding to the
> > > > queries
> > > > > > sent to secur...@solr.apache.org, one must be both a committer
> > and a
> > > > PMC
> > > > > > member. However, I expect that this group will make suggestions
> > about
> > > > > > anything unrelated to un-announced security issues to the wider
> > list
> > > > for
> > > > > a
> > > > > > typical discussion/proposal/vote cycle.
> > > > > >
> > > > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > > > > aarri...@perrinsoftware.com> wrote:
> > > > > >
> > > > > > >  Hello Team,
> > > > > > >
> > > > > > > Do you need to be a committer to join the group?
> > > > > > >
> > > > > > > Kind Regards,
> > > > > > > Alejandro Arrieta
> > > > > > >
> > > > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gus.h...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > Cool that means so far we have:
> > > > > > > >
> > > > > > > >    1. Me (Gus Heck)
> > > > > > > >    2. Jason Gerlowski
> > > > > > > >    3. Mike Drob
> > > > > > > >    4. (maybe?) David Smiley
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com>
> > > wrote:
> > > > > > > >
> > > > > > > > > Howdy folks. I'd be happy to step into this working group.
> > > > > > > > >
> > > > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <
> gus.h...@gmail.com
> > >
> > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Awesome, glad to have you Jason, I in the end feel the
> same
> > > way
> > > > > > about
> > > > > > > > my
> > > > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly
> > with
> > > > "who
> > > > > > > > thought
> > > > > > > > > > about it some and has ideas" added. If we get more than 5
> > > > > > volunteers
> > > > > > > we
> > > > > > > > > can
> > > > > > > > > > start comparing credentials.
> > > > > > > > > >
> > > > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > > > > gerlowsk...@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi Gus,
> > > > > > > > > > >
> > > > > > > > > > > I think this is a great idea.
> > > > > > > > > > >
> > > > > > > > > > > I don't have much security background that'd make me a
> > > > > > particularly
> > > > > > > > > > > good fit, but absent someone with that background
> > stepping
> > > > up,
> > > > > > I'm
> > > > > > > > > > > willing to volunteer for one of the spots.  (I'd be
> more
> > > than
> > > > > > happy
> > > > > > > > to
> > > > > > > > > > > bow out if better qualified folks come along.)
> > > > > > > > > > >
> > > > > > > > > > > Best,
> > > > > > > > > > >
> > > > > > > > > > > Jason
> > > > > > > > > > >
> > > > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > > > > dsmi...@apache.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > Pretty sleepy thread so far; apparently nobody else
> is
> > > > > > interested
> > > > > > > > in
> > > > > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > > > > >
> > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> > > > gus.h...@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Thanks David. It would be great to have you if you
> > can
> > > > find
> > > > > > > time
> > > > > > > > > for
> > > > > > > > > > > it. As
> > > > > > > > > > > > > far as time commitment goes, I think it should
> become
> > > > > minimal
> > > > > > > > > after a
> > > > > > > > > > > while
> > > > > > > > > > > > > unless we have a flood of security reports to
> respond
> > > to.
> > > > > > For a
> > > > > > > > > > little
> > > > > > > > > > > > > while after initial organization, I think the
> members
> > > > will
> > > > > > want
> > > > > > > > to
> > > > > > > > > > put
> > > > > > > > > > > a
> > > > > > > > > > > > > bit of effort into hitting some of the goals I
> > > mentioned.
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > > > > dsmi...@apache.org>
> > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > This is a thoughtful organization attempt and
> > > needed, I
> > > > > > > think.
> > > > > > > > > > > Thanks
> > > > > > > > > > > > > Gus!
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I want to see if I could get a security
> > > > > specialist/engineer
> > > > > > > > > where I
> > > > > > > > > > > work
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > help us with this.  I'm tempted to say I'm
> joining
> > > this
> > > > > > thing
> > > > > > > > but
> > > > > > > > > > I'm
> > > > > > > > > > > > > weary
> > > > > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > > > > gus.h...@gmail.com
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Rationale*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Over the course of the last decade the way
> > software
> > > > > > > security
> > > > > > > > is
> > > > > > > > > > > viewed
> > > > > > > > > > > > > > has
> > > > > > > > > > > > > > > changed. Solr has changed significantly over
> this
> > > > time
> > > > > > too
> > > > > > > > and
> > > > > > > > > we
> > > > > > > > > > > have
> > > > > > > > > > > > > > > gained some important security features and
> > fixed a
> > > > > > variety
> > > > > > > > of
> > > > > > > > > > > > > > > vulnerabilities. However, I think as a project
> we
> > > > have
> > > > > > not
> > > > > > > > > really
> > > > > > > > > > > > > > developed
> > > > > > > > > > > > > > > a clear vision of what our security goals and
> use
> > > > cases
> > > > > > > are.
> > > > > > > > I
> > > > > > > > > > have
> > > > > > > > > > > > > > > witnessed a fair bit of variability in the
> > > responses
> > > > to
> > > > > > > > > security
> > > > > > > > > > > > > related
> > > > > > > > > > > > > > > queries, and I think much of the variability
> > comes
> > > > from
> > > > > > > > > > conflation
> > > > > > > > > > > > > among
> > > > > > > > > > > > > > > "good practical advice", "somewhat dated
> advice"
> > > and
> > > > > > > "varying
> > > > > > > > > > > notions
> > > > > > > > > > > > > of
> > > > > > > > > > > > > > > supported use cases". We also regularly receive
> > > > reports
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > > > > > secur...@solr.apache.org address that involve
> > > > > > > investigations
> > > > > > > > > > into
> > > > > > > > > > > > > > systems
> > > > > > > > > > > > > > > that are not properly secured to begin with or
> > > > > configured
> > > > > > > to
> > > > > > > > > > > explicitly
> > > > > > > > > > > > > > > allow the dangerous behavior and it's a shame
> to
> > > see
> > > > > > > security
> > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > > waste their time on that. Finally, the PMC and
> > set
> > > of
> > > > > > > people
> > > > > > > > > > > subscribed
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > secur...@solr.apache.org is a large enough
> group
> > > > that
> > > > > > > > incoming
> > > > > > > > > > > mails
> > > > > > > > > > > > > > often
> > > > > > > > > > > > > > > seem to languish in a classic example of nobody
> > > > having
> > > > > > > actual
> > > > > > > > > > > specific
> > > > > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > > > > The Solr PMC should appoint from among its
> > members
> > > > > > either 3
> > > > > > > > to
> > > > > > > > > 5
> > > > > > > > > > > > > > > individuals to serve as a "security working
> > group"
> > > > > > > Membership
> > > > > > > > > in
> > > > > > > > > > > the
> > > > > > > > > > > > > > > "Security Working Group" requires subscribing
> to
> > > > > > > > > > > > > > secur...@solr.apache.org,
> > > > > > > > > > > > > > > and a 30 minute conference call once or twice a
> > > > month.
> > > > > > This
> > > > > > > > > > working
> > > > > > > > > > > > > group
> > > > > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >    1. Establish a relationship with someone
> who's
> > > > core
> > > > > > job
> > > > > > > > > > > function is
> > > > > > > > > > > > > > >    computer security, rather than providing
> > search
> > > > (I'm
> > > > > > > > hoping
> > > > > > > > > > the
> > > > > > > > > > > ASF
> > > > > > > > > > > > > > has
> > > > > > > > > > > > > > >    some people who secure their systems that
> > could
> > > > be a
> > > > > > > > > > resource).
> > > > > > > > > > > This
> > > > > > > > > > > > > > > person
> > > > > > > > > > > > > > >    should be willing to offer a systems
> security
> > > > > > > perspective
> > > > > > > > on
> > > > > > > > > > our
> > > > > > > > > > > > > goals
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > > > > >    2. Develop a clear statement of the security
> > use
> > > > > cases
> > > > > > > we
> > > > > > > > > > would
> > > > > > > > > > > like
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > >    support, and exposition of some scenarios
> that
> > > are
> > > > > > > clearly
> > > > > > > > > out
> > > > > > > > > > > of
> > > > > > > > > > > > > > scope.
> > > > > > > > > > > > > > >    This results in a proposal to be discussed
> on
> > > the
> > > > > dev
> > > > > > > list
> > > > > > > > > and
> > > > > > > > > > > users
> > > > > > > > > > > > > > > list
> > > > > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > > > > >    3. Identification of use cases we would like
> > to
> > > > > > support
> > > > > > > > that
> > > > > > > > > > > are not
> > > > > > > > > > > > > > yet
> > > > > > > > > > > > > > >    supported, and publicize them to encourage
> > these
> > > > > > > > > > contributions.
> > > > > > > > > > > > > > >    4. Review of documentation to ensure
> > consistency
> > > > > with
> > > > > > > our
> > > > > > > > > > > current
> > > > > > > > > > > > > > state
> > > > > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > > > > >    5. Creation of a "security report checklist"
> > > that
> > > > > > > security
> > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > > > > >    6. Form letters for consistent response to
> > > reports
> > > > > > that
> > > > > > > > > > haven't
> > > > > > > > > > > > > passed
> > > > > > > > > > > > > > >    the checklist.
> > > > > > > > > > > > > > >    7. Provide consistent and prompt responses
> to
> > > > > possible
> > > > > > > > > > > > > > >    vulnerabilities reported to
> > secur...@apache.org
> > > .
> > > > > > Those
> > > > > > > > > > > subscribed
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > >    secur...@solr.apache.org who are not in the
> > > > working
> > > > > > > group
> > > > > > > > > > > should
> > > > > > > > > > > > > > allow
> > > > > > > > > > > > > > >    the working group time to respond before
> > > > responding
> > > > > > > > > > themselves.
> > > > > > > > > > > > > > >    8. When asked, offer opinions on  proposed
> new
> > > > > > security
> > > > > > > > > > features
> > > > > > > > > > > > > > >    regarding consistency with the goals
> (working
> > > > group
> > > > > to
> > > > > > > > > > discuss,
> > > > > > > > > > > > > return
> > > > > > > > > > > > > > > with
> > > > > > > > > > > > > > >    an opinion, always publically and just as a
> > > voice
> > > > in
> > > > > > the
> > > > > > > > > > > > > conversation,
> > > > > > > > > > > > > > > not
> > > > > > > > > > > > > > >    as any sort of veto/control, decisions are
> > still
> > > > up
> > > > > to
> > > > > > > the
> > > > > > > > > > list
> > > > > > > > > > > of
> > > > > > > > > > > > > > > course).
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > NON-GOAL: The group is not responsible for
> fixing
> > > > > > security
> > > > > > > > bugs
> > > > > > > > > > or
> > > > > > > > > > > > > adding
> > > > > > > > > > > > > > > security features. (nothing stopping them of
> > > course,
> > > > > just
> > > > > > > not
> > > > > > > > > the
> > > > > > > > > > > point
> > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > the group, which is a goal setting and
> > consistency
> > > > > > oriented
> > > > > > > > > > group)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > And to lower the barrier to things started, I
> > > > volunteer
> > > > > > to
> > > > > > > > > > > participate
> > > > > > > > > > > > > in
> > > > > > > > > > > > > > > this WG for at least a year, and spend up to
> > > 2h/week
> > > > on
> > > > > > > it. I
> > > > > > > > > > don't
> > > > > > > > > > > > > think
> > > > > > > > > > > > > > > any members should be expected to dedicate more
> > > than
> > > > > that
> > > > > > > to
> > > > > > > > > it,
> > > > > > > > > > > and
> > > > > > > > > > > > > > > probably many weeks the time required should be
> > > less.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Feedback*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Of course if you think this idea can be tweaked
> > or
> > > > > > > improved,
> > > > > > > > > > speak
> > > > > > > > > > > up!
> > > > > > > > > > > > > > The
> > > > > > > > > > > > > > > whole reason this is mailed to the dev list is
> to
> > > get
> > > > > > broad
> > > > > > > > > > > feedback so
> > > > > > > > > > > > > > > that we can implement the best improvements
> > > possible.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > -Gus
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > > > > > To unsubscribe, e-mail:
> dev-unsubscr...@solr.apache.org
> > > > > > > > > > > For additional commands, e-mail:
> > dev-h...@solr.apache.org
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > http://www.the111shift.com (play)
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > http://www.needhamsoftware.com (work)
> > > > > > http://www.the111shift.com (play)
> > > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > > Marcus Eagan
> > >
> >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Reply via email to