Greetings PMC!
(I'm cross posting in BCC)
As a part of my review of our security policy and procedures,
I've formed an opinion that PMCs need to (or at least should be
given the opt to) have some representation on the security team.
With this email, I'd like to give you a little bit of background
and request your feedback.
My initial motivation was entirely practical:
- Access to vulnerability reports should be kept limited
during initial mitigation;
- Many projects use GitHub Issues;
- GitHub Issues does not have any means of restricting access
to an issue; and
- Many of those projects don't have a Bugzilla presence.
So, we decide to create a general "Community/Vulnerability
Reports" component as a catch-all for these projects. The
problem that this leaves is that there's no guarantee that these
reports will be noticed by the right people. The existing
security team can probably catch and deal with most of the
reports, but at least some will be at risk of falling through
the cracks.
My thought is that having PMC representation on the security
team will make it easier to shunt issue reports in the right
direction (either by moving the issue to the right Bugzilla
bucket, or by assigning the issue to the right committer or
project lead).
More generally, however, there is also some basic value in
having PMC members generally aware of security related issues.
Also, it will also be valuable for projects to know who on their
PMC to contact if they need help or advice with security and/or
vulnerability-related issues.
Some PMCs are already represented, but I'm thinking that I'd
like to make the relationship more formal. I'd like to have PMCs
nominate one or two PMC members as the PMC security team
representatives. These members will be added to the security@xxxxxxxxxxx
mailing list.
By way of expectation management, volume on this mailing list
is very low currently. We do, however, expect an increase in
volume resulting from the increase in projects doing runtime and
IoT. We only expect security team members to respond to issues
within the scope that they represent, but you may still have to
deal with some modest volume.
We're going to set Bugzilla up so that security@xxxxxxxxxxx is
notified of all newly reported issues against
Community/vulnerability Reports.
Anybody can post to the mailing list, but only security team
members are subscribed. We do also get a small number of direct
emails. The list is moderated, so the messages that get through
are real. The strategy for addressing them is for a team member
to move the security@xxxxxxxxxxx
address into BCC with their response to the reporter and open a
bug report for further.
It's also worth noting that the Security Team does not
currently hold any meetings. If there is consensus within the
team that having meetings, this could change. The one other
things that I'm thinking that I'd like to do is to have somebody
from the Security Team report to the Eclipse Planning Council
during the regularly monthly meetings.
I've opened a bug for discussion [1]. I'd love your input.
Especially if you think that this is a bad idea. While I monitor
all PMC mailing lists, I'd appreciate it if you direct your
discussion and concerns about this topic into Bugzilla comments
where everybody can share in the discussion. As with basically
everything else we do around here, I'll assume lazy consensus.
Note that I've created a more general umbrella bug [2] to
capture progress on a host of security-related issues. Any
feedback that you can provide on any of those issues will be
appreciated.
Thanks for your attention.
Wayne
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510992
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510142
--
Wayne Beaton on behalf of the Eclipse Management Organization
@waynebeaton
The Eclipse Foundation
_______________________________________________
technology-pmc mailing list
technology-pmc@xxxxxxxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.locationtech.org/mailman/listinfo/technology-pmc
