mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lieven Govaerts <...@apache.org>
Subject Re: Revisit Maturity Model for MXNet
Date Sun, 06 Oct 2019 00:35:34 GMT
Hi Marco,

On Sun, 6 Oct 2019 at 00:09, Marco de Abreu <marco.g.abreu@gmail.com> wrote:

> Hi,
>
> These are very good points! I also noticed the security incident reporting
> when I reviewed it and I agree that it's something we have to work out.
>
> I will work on something tomorrow and provide a draft for the community to
> review. Do you think it's really necessary to have a separate email alias
> or is it sufficient to use private@?
>
>
There is actually a lot of good information related to security issues for
ASF projects here:
http://www.apache.org/security/

This page suggests a typical procedure on how to handle security issues:
https://www.apache.org/security/committers.html


What I read in these pages, is that smaller projects tend to delegate
security issue reporting to the ASF-wide security mailing list, whereas
larger projects (or projects more often concerned with security issues) set
up there own security@project.. mailing list.

I don't see examples directly of projects using the private mailing list
for this purpose, but I read:
  "It is expected that a subset of project PMC members and committers will
be subscribed to the project specific security mailing list. "
and
  "If reported to security@apache.org, the security team will forward the
report (without acknowledging it) to the project's security list or, of the
project does not have a security list, to the project's private (PMC)
mailing list."


My opinion:
In the short term you don't need a project-specific security mailing list.
Users are for all ASF projectsby default directed to report security issues
here: security@apache.org .
You just need to document this on your website somewhere.

If you start to see many issues being reported this way the project can
decide that it's better to have a small group of volunteers to handle these
reports.

Have a look at this project list to see how other ASF projects are
informing their users. I like the Apache Ant example for its simplicity,
but it has all the needed information:
http://www.apache.org/security/projects.html
regards,

Lieven

Best regards,
> Marco
>
>
>
> Lieven Govaerts <lgo@apache.org> schrieb am Sa., 5. Okt. 2019, 09:44:
>
> > Hi,
> >
> > On Sat, 5 Oct 2019 at 01:46, Sheng Zha <zhasheng@apache.org> wrote:
> >
> > > Hi,
> > >
> > > It's time to revisit the Apache maturity model for MXNet and see where
> we
> > > are with respect to graduation. Qing and I updated the maturity model
> in
> > > the wiki [1]. Comments are welcome.
> > >
> > >
> > for "QU30: The project provides a well-documented channel to report
> > security issues, along with a documented way of responding to them.", you
> > point to this page:
> > https://mxnet.incubator.apache.org/api/faq/security. However,
> > that page doesn't contain any information on how to contact the project
> to
> > report a security issue privately.
> >
> > Is there a security@mxnet.incubator.apache.org mailing list?
> > I don't see any information on the Contribution page that explains how
> > security issues should be reported differently from a normal issue, so
> for
> > me this is an open TODO.
> >
> > What does "Apache-2.0 (partial)" mean for dmlc-core? The github project
> > indicates it's ASLv2 licensed, so what it 'partial' about it?
> >
> > regards,
> >
> > Lieven
> >
> >
> >
> > > -sz
> > >
> > > [1] https://cwiki.apache.org/confluence/x/lQqQBQ
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message