Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tools-pmc] Formally representing PMCs on the Security Team

Going once, twice, SOLD! :)

I am fine if someone else volunteers, but just in case that doesn't happen, I would appreciate you doing it Alexander (or, Aleksandar, if you prefer). So here is my +1 for Alexander to do it.


On 02/09/2017 07:19 AM, Aleksandar Kurtakov wrote:

----- Original Message -----
From: "Wayne Beaton" <emo@xxxxxxxxxxx>
Sent: Thursday, 2 February, 2017 11:41:30 PM
Subject: [tools-pmc] Formally representing PMCs on the Security Team

Greetings PMC!

(I'm cross posting in BCC)

As a part of my review of our security policy and procedures, I've formed an
opinion that PMCs need to (or at least should be given the opt to) have some
representation on the security team. With this email, I'd like to give you a
little bit of background and request your feedback.

My initial motivation was entirely practical:

     * Access to vulnerability reports should be kept limited during initial
     * Many projects use GitHub Issues;
     * GitHub Issues does not have any means of restricting access to an
     issue; and
     * Many of those projects don't have a Bugzilla presence.

So, we decide to create a general "Community/Vulnerability Reports" component
as a catch-all for these projects. The problem that this leaves is that
there's no guarantee that these reports will be noticed by the right people.
The existing security team can probably catch and deal with most of the
reports, but at least some will be at risk of falling through the cracks.

My thought is that having PMC representation on the security team will make
it easier to shunt issue reports in the right direction (either by moving
the issue to the right Bugzilla bucket, or by assigning the issue to the
right committer or project lead).

More generally, however, there is also some basic value in having PMC members
generally aware of security related issues. Also, it will also be valuable
for projects to know who on their PMC to contact if they need help or advice
with security and/or vulnerability-related issues.

Some PMCs are already represented, but I'm thinking that I'd like to make the
relationship more formal. I'd like to have PMCs nominate one or two PMC
members as the PMC security team representatives. These members will be
added to the security@xxxxxxxxxxx mailing list.
Hello Tools PMC,
Who will be our representative ? I would prefer this to be someone else to have more focused representative but if no one volunteers I can step in as I would act as Eclipse TLP representative and forward things to project leads when due.

By way of expectation management, volume on this mailing list is very low
currently. We do, however, expect an increase in volume resulting from the
increase in projects doing runtime and IoT. We only expect security team
members to respond to issues within the scope that they represent, but you
may still have to deal with some modest volume.

We're going to set Bugzilla up so that security@xxxxxxxxxxx is notified of
all newly reported issues against Community/vulnerability Reports.

Anybody can post to the mailing list, but only security team members are
subscribed. We do also get a small number of direct emails. The list is
moderated, so the messages that get through are real. The strategy for
addressing them is for a team member to move the security@xxxxxxxxxxx
address into BCC with their response to the reporter and open a bug report
for further.

It's also worth noting that the Security Team does not currently hold any
meetings. If there is consensus within the team that having meetings, this
could change. The one other things that I'm thinking that I'd like to do is
to have somebody from the Security Team report to the Eclipse Planning
Council during the regularly monthly meetings.

I've opened a bug for discussion [1]. I'd love your input. Especially if you
think that this is a bad idea. While I monitor all PMC mailing lists, I'd
appreciate it if you direct your discussion and concerns about this topic
into Bugzilla comments where everybody can share in the discussion. As with
basically everything else we do around here, I'll assume lazy consensus.

Note that I've created a more general umbrella bug [2] to capture progress on
a host of security-related issues. Any feedback that you can provide on any
of those issues will be appreciated.

Thanks for your attention.



Wayne Beaton on behalf of the Eclipse Management Organization
The Eclipse Foundation

tools-pmc mailing list
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit

Back to the top