Re: [eclipse-pmc] Formally representing PMCs on the Security Team
----- Original Message -----
> From: "Wayne Beaton" <emo@xxxxxxxxxxx>
> Sent: Thursday, 2 February, 2017 11:41:30 PM
> Subject: [eclipse-pmc] Formally representing PMCs on the Security Team
> Greetings PMC!
> (I'm cross posting in BCC)
> As a part of my review of our security policy and procedures, I've formed an
> opinion that PMCs need to (or at least should be given the opt to) have some
> representation on the security team. With this email, I'd like to give you a
> little bit of background and request your feedback.
> My initial motivation was entirely practical:
> * Access to vulnerability reports should be kept limited during initial
> * Many projects use GitHub Issues;
> * GitHub Issues does not have any means of restricting access to an
> issue; and
> * Many of those projects don't have a Bugzilla presence.
> So, we decide to create a general "Community/Vulnerability Reports" component
> as a catch-all for these projects. The problem that this leaves is that
> there's no guarantee that these reports will be noticed by the right people.
> The existing security team can probably catch and deal with most of the
> reports, but at least some will be at risk of falling through the cracks.
> My thought is that having PMC representation on the security team will make
> it easier to shunt issue reports in the right direction (either by moving
> the issue to the right Bugzilla bucket, or by assigning the issue to the
> right committer or project lead).
> More generally, however, there is also some basic value in having PMC members
> generally aware of security related issues. Also, it will also be valuable
> for projects to know who on their PMC to contact if they need help or advice
> with security and/or vulnerability-related issues.
> Some PMCs are already represented, but I'm thinking that I'd like to make the
> relationship more formal. I'd like to have PMCs nominate one or two PMC
> members as the PMC security team representatives. These members will be
> added to the security@xxxxxxxxxxx mailing list.
We have discussed it on the latest Eclipse TLP PMC meeting and came to the agreement that I will be the representative (at least for now) as I already keep an eye on these things through other channels.
Let me know if there is anything I have to do myself.
> By way of expectation management, volume on this mailing list is very low
> currently. We do, however, expect an increase in volume resulting from the
> increase in projects doing runtime and IoT. We only expect security team
> members to respond to issues within the scope that they represent, but you
> may still have to deal with some modest volume.
> We're going to set Bugzilla up so that security@xxxxxxxxxxx is notified of
> all newly reported issues against Community/vulnerability Reports.
> Anybody can post to the mailing list, but only security team members are
> subscribed. We do also get a small number of direct emails. The list is
> moderated, so the messages that get through are real. The strategy for
> addressing them is for a team member to move the security@xxxxxxxxxxx
> address into BCC with their response to the reporter and open a bug report
> for further.
> It's also worth noting that the Security Team does not currently hold any
> meetings. If there is consensus within the team that having meetings, this
> could change. The one other things that I'm thinking that I'd like to do is
> to have somebody from the Security Team report to the Eclipse Planning
> Council during the regularly monthly meetings.
> I've opened a bug for discussion . I'd love your input. Especially if you
> think that this is a bad idea. While I monitor all PMC mailing lists, I'd
> appreciate it if you direct your discussion and concerns about this topic
> into Bugzilla comments where everybody can share in the discussion. As with
> basically everything else we do around here, I'll assume lazy consensus.
> Note that I've created a more general umbrella bug  to capture progress on
> a host of security-related issues. Any feedback that you can provide on any
> of those issues will be appreciated.
> Thanks for your attention.
>  https://bugs.eclipse.org/bugs/show_bug.cgi?id=510992
>  https://bugs.eclipse.org/bugs/show_bug.cgi?id=510142
> Wayne Beaton on behalf of the Eclipse Management Organization
> The Eclipse Foundation
> eclipse-pmc mailing list
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
Red Hat Eclipse team