I don't want to share numbers on a public forum but I just counted up
the number of podlings with active or recent security reports and it
seems things are not that rosy. It seems to me that podlings are about
as likely to get issues reported as ASF projects generally. I can post
some numbers on th
Hi,
While I have nothing against this idea, podlings rarely get security reports,
and most never get them. Even if it occurred a few times a year, do we want to
task all podlings this?
Kind Regards,
Justin
> On 19 Mar 2025, at 2:07 AM, Shane Curcuru wrote:
>
> PJ Fanning wrote on 3/6/25 10:0
PJ Fanning wrote on 3/6/25 10:02 AM:
As a concrete proposal, can I suggest adding a question to the podling report.
Thanks for moving this to something concrete. Note as a general
concept, I support this idea. Beefing up our documented processes
around security handling is important, especi
Related, should we ask the podling if all PPMC members (and only PPMC members
or invited outsiders) are subscribed to the private mail list?
Craig
> On Mar 6, 2025, at 07:02, PJ Fanning wrote:
>
> As a concrete proposal, can I suggest adding a question to the podling report.
>
> Something li
As a concrete proposal, can I suggest adding a question to the podling report.
Something like:
Is the podling PPMC being responsive to email threads on the private mailing
list (don't discuss specific instances here because the threads are private)?
I know this is a long winded question that rea
A simple yes/no question about the subscribers to the private list
seems fine to me.
On Thu, 6 Mar 2025 at 17:47, Craig Russell wrote:
>
> Related, should we ask the podling if all PPMC members (and only PPMC members
> or invited outsiders) are subscribed to the private mail list?
>
> Craig
>
>
Hi
This is a good proposal. As part of the new reporting tool for
project, it's a security section is part of the report.
So, it makes sense to have it for podlings.
Regards
JB
On Fri, Jan 24, 2025 at 2:35 PM PJ Fanning wrote:
>
> Hi everyone,
>
> I didn't follow up on this when I raised it in
I see it like this:
Have a podling analyzed for their open security issues:
+1
Have a podling asked about how they feel they can react to security issues:
0/-1 because only if it has been tested the self assessment is worth
something. Its not like they get a new issue every other month - I hope.
> On Jan 24, 2025, at 1:44 PM, PJ Fanning wrote:
>
> The ASF generally mandates a min of 3 days for votes on release
> candidates. This can be significantly shortened if there is a security
> issue that needs a quick release.
> With Podlings, they typically require 2 rounds of voting (PPMC and
The ASF generally mandates a min of 3 days for votes on release
candidates. This can be significantly shortened if there is a security
issue that needs a quick release.
With Podlings, they typically require 2 rounds of voting (PPMC and
then the Incubator PMC) but again if a podling needs a quick re
Maybe one more thing we should think about. What if there is a security
issue, the response of the podling is good and the issue gets fixed very
fast. And can only be fixed by a new release. But then the incubator
finds issues with the release and the release issues cannot be fixed
right away. I d
Thanks Calvin for your response. Maybe we could start by having the ASF
Security team track progress on reported issues - as they already do. In
the Incubator public reporting, we would not disclose anything other than
self reporting that the PPMC feels confident that they are in a good
position to
I completely agree with this proposal, even though some podlings rarely
encounter security issues during incubation. (This may change as they
transition to TLP status and gain more visibility.) However, understanding
and recognizing the importance of security issues is also something
podlings need
Hi everyone,
I didn't follow up on this when I raised it in December 2023. I'd like
to propose it again.
Basically, the idea is that the podling reports, that we do every 3
months, would have a question about whether the podling believes that
they are being sufficiently responsive to issues raised
Hi PJ,
I agree that there should be a section in podlings' reports that highlights
security issues.
Regards,
Craig
> On Dec 13, 2023, at 05:22, PJ Fanning wrote:
>
> Hi everyone,
>
> I'm wondering if podlings should include some details about their
> security issues [1] in their 3 podling r
Hi everyone,
I'm wondering if podlings should include some details about their
security issues [1] in their 3 podling reports. We won't want to
release information about any security issues that are still under
investigation or where the fix is not yet released. I still think
there is little harm
16 matches
Mail list logo
