Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 04117200D0E for ; Tue, 12 Sep 2017 07:59:27 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 02A4C1609C5; Tue, 12 Sep 2017 05:59:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 23B391609C4 for ; Tue, 12 Sep 2017 07:59:25 +0200 (CEST) Received: (qmail 64711 invoked by uid 500); 12 Sep 2017 05:59:25 -0000 Mailing-List: contact dev-help@apex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@apex.apache.org Delivered-To: mailing list dev@apex.apache.org Received: (qmail 64694 invoked by uid 99); 12 Sep 2017 05:59:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Sep 2017 05:59:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 8B9C01A5169 for ; Tue, 12 Sep 2017 05:59:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.23 X-Spam-Level: X-Spam-Status: No, score=0.23 tagged_above=-999 required=6.31 tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id wXbuUbtHEeqs for ; Tue, 12 Sep 2017 05:59:22 +0000 (UTC) Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com [74.125.83.42]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id B40515F640 for ; Tue, 12 Sep 2017 05:59:21 +0000 (UTC) Received: by mail-pg0-f42.google.com with SMTP id d8so19590393pgt.4 for ; Mon, 11 Sep 2017 22:59:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding:content-language; bh=rzzQHK7LZhgBWpdXvkPVg8KKHz952bK5JSS6g5g/RH0=; b=hmK/dTSbteH+yry9PbPNzuorCoFFsU7fjQddtAcsffLkc/3izynKp4jjAUcwNJv35C /k+A5DoKQlVC1hn7kWDcX8IBk8wZNncPXLRUzJiBeA1eiV3tQoo2P5WU5KqHH+Zjb6Sh hQk3odNZkyvgDOVpF5OTXjFq7dT1dDBUl8GDVZZH/mw5cVLdrgIMYBVESwg/+SbNBBEu Zcj0jopxKVxKng6Oa1zGOK0NMRGL96eTykAOVdGmhe4HQ83iMvy2N9RIOLeOamqpfjIe WphvcvFz6OxYhDXjFnkH736UgMWpRDzVeB1DcwrrsrZBzRH9KL5PE+iv5xIrJNdkX7dZ dpFQ== X-Gm-Message-State: AHPjjUgnYdUr668lBmBLcMQrcxvP77d48KRIlxfGLAQEkoEf9DY9623b tq7vJdKjXYvjcJpvJDc= X-Google-Smtp-Source: ADKCNb7rE0XrV8GjG+mKXHL1nPa+epncp9crAMXwit69OCXxOpq4FRo3mfaJVbKRITHxnSjCO/17OA== X-Received: by 10.84.236.78 with SMTP id h14mr3633520pln.2.1505195959827; Mon, 11 Sep 2017 22:59:19 -0700 (PDT) Received: from vrozov-1056.local ([2601:646:8482:1283:a99c:1f9b:d328:b95a]) by smtp.gmail.com with ESMTPSA id r138sm17052541pgr.12.2017.09.11.22.59.18 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Sep 2017 22:59:19 -0700 (PDT) Subject: Re: checking dependencies for known vulnerabilities To: dev@apex.apache.org References: <39e50723-9e96-a1dd-590b-c74394535f88@apache.org> <61435004-3760-6b41-e859-e7dc38a9eae1@apache.org> <69269b43-aa7a-f46a-acec-a884f66e1ca8@apache.org> From: Vlad Rozov Organization: Apache Software Foundation Message-ID: <1990549a-78c3-8e44-d9f3-a6522d02a998@apache.org> Date: Mon, 11 Sep 2017 22:59:17 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US archived-at: Tue, 12 Sep 2017 05:59:27 -0000 So, you are saying that those members are eager to see new features, new functionalities and new code added to the project? Why they are not eager to see a unit test being fixed or a dependency with a severe security risk being removed? It is not that their original PR would be closed as a result of a unit test fix. What prevents those community members to put time and effort to fix CI build (unit test, dependency) that will directly benefit the community but may not immediately benefit a vendor and its (paying) customers? Thank you, Vlad On 9/11/17 22:08, Sanjay Pujare wrote: > Comments inline: > > >> On 9/10/17 23:40, Priyanka Gugale wrote: >> >>> It's good idea to check for vulnerabilities, but as Pramod said all >>> softwares / libraries are going to have some or other vulnerability at any >>> time. I will go with approach of "let's discuss this addition" and we >>> should not affect PRs which are not adding any new dependencies (due to >>> old >>> vulnerabilities). >>> >> While all software/libraries are subject to insecure code and >> vulnerabilities, all software vendors whether open or close source >> hopefully try to make code more secure rather than insecure. If there is an >> existing or newly introduced dependency with a critical security issue, I >> don't see why Apex community wants to accept the high probability of being >> exposed to a security exploit. The only reasonable explanation for me is >> that the community members do not care about overall project quality and >> care only for tasks/PRs assigned to them by somebody else. I'll be glad to >> hear a different explanation for the proposal not to penalize PRs that do >> not introduce new dependencies and are affected by a newly found >> vulnerability in an existing dependency. Will not we all be penalized later >> if we don't fix it? >> > > I take exception to the insinuation that (some) community members "care > only for tasks/PRs assigned to them by somebody else". It is quite possible > or likely that these members are eager to see new features, new > functionalities, or new code added to the project because they get excited > by such things. You need to take into account the mindset of people who are > submitting PRs to add a new functionality or fix a bug. The PR author's > focus correctly is on addressing that particular JIRA and ensuring that > JIRA gets resolved at the highest quality. To burden that PR author with > unrelated considerations of build systems, vulnerability findings and such > is not fair. Note that the project is (or should be) primarily driven by > users (and customers in case of vendors shipping this code in products) who > use these features and pay for these features. So we need to balance the > long term concerns about "security issues" and quality with the immediate > term concerns about adding features and functionalities. > > > >>> Also I also strongly feel, we need to be meticulous and think it through >>> before introducing such checks for reasons discussed before. >>> >> +1. Equally applies to a newly introduced functionality and bug fixes. >> > Totally agree. However when we discuss or "think through" any concerns they > should apply to the issue at hand (i.e. the newly introduced functionality > and bug fixes) and not external factors. > > >>> -Priyanka >>> >>>