(I'm cross posting in BCC)
As a part of my review of our security policy and procedures,
I've formed an opinion that PMCs need to (or at least should be
given the opt to) have some representation on the security team.
With this email, I'd like to give you a little bit of background
and request your feedback.
My initial motivation was entirely practical:
- Access to vulnerability reports should be kept limited during
- Many projects use GitHub Issues;
- GitHub Issues does not have any means of restricting access to
an issue; and
- Many of those projects don't have a Bugzilla presence.
So, we decide to create a general "Community/Vulnerability
Reports" component as a catch-all for these projects. The problem
that this leaves is that there's no guarantee that these reports
will be noticed by the right people. The existing security team
can probably catch and deal with most of the reports, but at least
some will be at risk of falling through the cracks.
My thought is that having PMC representation on the security team
will make it easier to shunt issue reports in the right direction
(either by moving the issue to the right Bugzilla bucket, or by
assigning the issue to the right committer or project lead).
More generally, however, there is also some basic value in having
PMC members generally aware of security related issues. Also, it
will also be valuable for projects to know who on their PMC to
contact if they need help or advice with security and/or
Some PMCs are already represented, but I'm thinking that I'd like
to make the relationship more formal. I'd like to have PMCs
nominate one or two PMC members as the PMC security team
representatives. These members will be added to the
security@xxxxxxxxxxx mailing list.
By way of expectation management, volume on this mailing list is
very low currently. We do, however, expect an increase in volume
resulting from the increase in projects doing runtime and IoT. We
only expect security team members to respond to issues within the
scope that they represent, but you may still have to deal with
some modest volume.
We're going to set Bugzilla up so that security@xxxxxxxxxxx is
notified of all newly reported issues against
Anybody can post to the mailing list, but only security team
members are subscribed. We do also get a small number of direct
emails. The list is moderated, so the messages that get through
are real. The strategy for addressing them is for a team member to
move the security@xxxxxxxxxxx address into BCC with their response
to the reporter and open a bug report for further.
It's also worth noting that the Security Team does not currently
hold any meetings. If there is consensus within the team that
having meetings, this could change. The one other things that I'm
thinking that I'd like to do is to have somebody from the Security
Team report to the Eclipse Planning Council during the regularly
I've opened a bug for discussion . I'd love your input.
Especially if you think that this is a bad idea. While I monitor
all PMC mailing lists, I'd appreciate it if you direct your
discussion and concerns about this topic into Bugzilla comments
where everybody can share in the discussion. As with basically
everything else we do around here, I'll assume lazy consensus.
Note that I've created a more general umbrella bug  to capture
progress on a host of security-related issues. Any feedback that
you can provide on any of those issues will be appreciated.
Thanks for your attention.
Wayne Beaton on behalf of the Eclipse Management Organization
The Eclipse Foundation