Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse-pmc] Formally representing PMCs on the Security Team

Greetings PMC!

(I'm cross posting in BCC)

As a part of my review of our security policy and procedures, I've formed an opinion that PMCs need to (or at least should be given the opt to) have some representation on the security team. With this email, I'd like to give you a little bit of background and request your feedback.

My initial motivation was entirely practical:

  • Access to vulnerability reports should be kept limited during initial mitigation;
  • Many projects use GitHub Issues;
  • GitHub Issues does not have any means of restricting access to an issue; and
  • Many of those projects don't have a Bugzilla presence.

So, we decide to create a general "Community/Vulnerability Reports" component as a catch-all for these projects. The problem that this leaves is that there's no guarantee that these reports will be noticed by the right people. The existing security team can probably catch and deal with most of the reports, but at least some will be at risk of falling through the cracks.

My thought is that having PMC representation on the security team will make it easier to shunt issue reports in the right direction (either by moving the issue to the right Bugzilla bucket, or by assigning the issue to the right committer or project lead).

More generally, however, there is also some basic value in having PMC members generally aware of security related issues. Also, it will also be valuable for projects to know who on their PMC to contact if they need help or advice with security and/or vulnerability-related issues.

Some PMCs are already represented, but I'm thinking that I'd like to make the relationship more formal. I'd like to have PMCs nominate one or two PMC members as the PMC security team representatives. These members will be added to the security@xxxxxxxxxxx mailing list.

By way of expectation management, volume on this mailing list is very low currently. We do, however, expect an increase in volume resulting from the increase in projects doing runtime and IoT. We only expect security team members to respond to issues within the scope that they represent, but you may still have to deal with some modest volume.

We're going to set Bugzilla up so that security@xxxxxxxxxxx is notified of all newly reported issues against Community/vulnerability Reports.

Anybody can post to the mailing list, but only security team members are subscribed. We do also get a small number of direct emails. The list is moderated, so the messages that get through are real. The strategy for addressing them is for a team member to move the security@xxxxxxxxxxx address into BCC with their response to the reporter and open a bug report for further.

It's also worth noting that the Security Team does not currently hold any meetings. If there is consensus within the team that having meetings, this could change. The one other things that I'm thinking that I'd like to do is to have somebody from the Security Team report to the Eclipse Planning Council during the regularly monthly meetings.

I've opened a bug for discussion [1]. I'd love your input. Especially if you think that this is a bad idea. While I monitor all PMC mailing lists, I'd appreciate it if you direct your discussion and concerns about this topic into Bugzilla comments where everybody can share in the discussion. As with basically everything else we do around here, I'll assume lazy consensus.

Note that I've created a more general umbrella bug [2] to capture progress on a host of security-related issues. Any feedback that you can provide on any of those issues will be appreciated.

Thanks for your attention.

Wayne

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510992
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=510142


--
Wayne Beaton on behalf of the Eclipse Management Organization
@waynebeaton
The Eclipse Foundation
Eclipse
          Converge

Back to the top