Re: [tools-pmc] Formally representing PMCs on the Security Team

[David Williams <david_williams@xxxxxxx>]

Going once, twice, SOLD! :)

I am fine if someone else volunteers, but just in case that doesn't 
happen, I would appreciate you doing it Alexander (or, Aleksandar, if 
you prefer). So here is my +1 for Alexander to do it.

Sincerely,



On 02/09/2017 07:19 AM, Aleksandar Kurtakov wrote:
> ----- Original Message -----
> > From: "Wayne Beaton" <emo@xxxxxxxxxxx>
> > Sent: Thursday, 2 February, 2017 11:41:30 PM
> > Subject: [tools-pmc] Formally representing PMCs on the Security Team
> >
> >
> >
> > Greetings PMC!
> >
> > (I'm cross posting in BCC)
> >
> >
> > As a part of my review of our security policy and procedures, I've formed an
> > opinion that PMCs need to (or at least should be given the opt to) have some
> > representation on the security team. With this email, I'd like to give you a
> > little bit of background and request your feedback.
> >
> >
> > My initial motivation was entirely practical:
> >
> >      * Access to vulnerability reports should be kept limited during initial
> >      mitigation;
> >      * Many projects use GitHub Issues;
> >      * GitHub Issues does not have any means of restricting access to an
> >      issue; and
> >      * Many of those projects don't have a Bugzilla presence.
> >
> >
> > So, we decide to create a general "Community/Vulnerability Reports" component
> > as a catch-all for these projects. The problem that this leaves is that
> > there's no guarantee that these reports will be noticed by the right people.
> > The existing security team can probably catch and deal with most of the
> > reports, but at least some will be at risk of falling through the cracks.
> >
> > My thought is that having PMC representation on the security team will make
> > it easier to shunt issue reports in the right direction (either by moving
> > the issue to the right Bugzilla bucket, or by assigning the issue to the
> > right committer or project lead).
> >
> > More generally, however, there is also some basic value in having PMC members
> > generally aware of security related issues. Also, it will also be valuable
> > for projects to know who on their PMC to contact if they need help or advice
> > with security and/or vulnerability-related issues.
> >
> >
> > Some PMCs are already represented, but I'm thinking that I'd like to make the
> > relationship more formal. I'd like to have PMCs nominate one or two PMC
> > members as the PMC security team representatives. These members will be
> > added to the security@xxxxxxxxxxx mailing list.
> Hello Tools PMC,
> Who will be our representative ? I would prefer this to be someone else to have more focused representative but if no one volunteers I can step in as I would act as Eclipse TLP representative and forward things to project leads when due.
> Anyone?
>
> > By way of expectation management, volume on this mailing list is very low
> > currently. We do, however, expect an increase in volume resulting from the
> > increase in projects doing runtime and IoT. We only expect security team
> > members to respond to issues within the scope that they represent, but you
> > may still have to deal with some modest volume.
> >
> > We're going to set Bugzilla up so that security@xxxxxxxxxxx is notified of
> > all newly reported issues against Community/vulnerability Reports.
> >
> >
> > Anybody can post to the mailing list, but only security team members are
> > subscribed. We do also get a small number of direct emails. The list is
> > moderated, so the messages that get through are real. The strategy for
> > addressing them is for a team member to move the security@xxxxxxxxxxx
> > address into BCC with their response to the reporter and open a bug report
> > for further.
> >
> > It's also worth noting that the Security Team does not currently hold any
> > meetings. If there is consensus within the team that having meetings, this
> > could change. The one other things that I'm thinking that I'd like to do is
> > to have somebody from the Security Team report to the Eclipse Planning
> > Council during the regularly monthly meetings.
> >
> >
> > I've opened a bug for discussion [1]. I'd love your input. Especially if you
> > think that this is a bad idea. While I monitor all PMC mailing lists, I'd
> > appreciate it if you direct your discussion and concerns about this topic
> > into Bugzilla comments where everybody can share in the discussion. As with
> > basically everything else we do around here, I'll assume lazy consensus.
> >
> > Note that I've created a more general umbrella bug [2] to capture progress on
> > a host of security-related issues. Any feedback that you can provide on any
> > of those issues will be appreciated.
> >
> >
> > Thanks for your attention.
> >
> > Wayne
> >
> >
> > [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510992
> > [2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510142
> >
> > --
> > Wayne Beaton on behalf of the Eclipse Management Organization
> > @waynebeaton
> > The Eclipse Foundation
> >
> > _______________________________________________
> > tools-pmc mailing list
> > tools-pmc@xxxxxxxxxxx
> > To change your delivery options, retrieve your password, or unsubscribe from
> > this list, visit
> > https://dev.eclipse.org/mailman/listinfo/tools-pmc