Greetings PMC!
(I'm cross posting in BCC)
As a part of my review of our security policy and procedures,
I've formed an opinion that PMCs need to (or at least should
be given the opt to) have some representation on the security
team. With this email, I'd like to give you a little bit of
background and request your feedback.
My initial motivation was entirely practical:
- Access to vulnerability reports should be kept limited
during initial mitigation;
- Many projects use GitHub Issues;
- GitHub Issues does not have any means of restricting
access to an issue; and
- Many of those projects don't have a Bugzilla presence.
So, we decide to create a general "Community/Vulnerability
Reports" component as a catch-all for these projects. The
problem that this leaves is that there's no guarantee that
these reports will be noticed by the right people. The
existing security team can probably catch and deal with most
of the reports, but at least some will be at risk of falling
through the cracks.
My thought is that having PMC representation on the security
team will make it easier to shunt issue reports in the right
direction (either by moving the issue to the right Bugzilla
bucket, or by assigning the issue to the right committer or
project lead).
More generally, however, there is also some basic value in
having PMC members generally aware of security related issues.
Also, it will also be valuable for projects to know who on
their PMC to contact if they need help or advice with security
and/or vulnerability-related issues.
Some PMCs are already represented, but I'm thinking that I'd
like to make the relationship more formal. I'd like to have
PMCs nominate one or two PMC members as the PMC security team
representatives. These members will be added to the security@xxxxxxxxxxx
mailing list.
By way of expectation management, volume on this mailing list
is very low currently. We do, however, expect an increase in
volume resulting from the increase in projects doing runtime
and IoT. We only expect security team members to respond to
issues within the scope that they represent, but you may still
have to deal with some modest volume.
We're going to set Bugzilla up so that security@xxxxxxxxxxx
is notified of all newly reported issues against
Community/vulnerability Reports.
Anybody can post to the mailing list, but only security team
members are subscribed. We do also get a small number of
direct emails. The list is moderated, so the messages that get
through are real. The strategy for addressing them is for a
team member to move the security@xxxxxxxxxxx
address into BCC with their response to the reporter and open
a bug report for further.
It's also worth noting that the Security Team does not
currently hold any meetings. If there is consensus within the
team that having meetings, this could change. The one other
things that I'm thinking that I'd like to do is to have
somebody from the Security Team report to the Eclipse Planning
Council during the regularly monthly meetings.
I've opened a bug for discussion [1]. I'd love your input.
Especially if you think that this is a bad idea. While I
monitor all PMC mailing lists, I'd appreciate it if you direct
your discussion and concerns about this topic into Bugzilla
comments where everybody can share in the discussion. As with
basically everything else we do around here, I'll assume lazy
consensus.
Note that I've created a more general umbrella bug [2] to
capture progress on a host of security-related issues. Any
feedback that you can provide on any of those issues will be
appreciated.
Thanks for your attention.
Wayne
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510992
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510142
--
Wayne Beaton on behalf of the Eclipse Management Organization
@waynebeaton
The Eclipse Foundation
_______________________________________________
technology-pmc mailing list
technology-pmc@xxxxxxxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.locationtech.org/mailman/listinfo/technology-pmc
