[DISCUSS] Expose or setup a security@flink.apache.org mailing list for security report and discussion

> Hi all,
>
> I'm reaching out to see if there is an existing security specific mailing
> list in Flink. If there is, we should expose it in the offcial web site of
> Flink [1] to guide people to report security issues to this mailing list.
> If it still doesn't exist, I'm here to propose to setup a
> [hidden email] mailing list for reporting and discussion of
> security specific issues. Currently, most well known apache projects such
> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc have a
> security specific mailing list. It would be nice if there is also a
> security specific mailing list for Flink.
>
> Note that users should report security issues to the security mailing
> list.
>
> Looking forward to your feedback!
>
> Regards,
> Dian
>
> [1] https://flink.apache.org/community.html
> [2] https://commons.apache.org/mail-lists.html
> [3] https://hadoop.apache.org/mailing_lists.html
> [4] https://spark.apache.org/community.html
> [5] https://kafka.apache.org/project-security.html
> [6] https://hive.apache.org/mailing_lists.html

> Hi Dian,
>
> Thanks a lot for bringing up this discussion. This is very important for
> Flink community!
>
> I think setup a security mailing list for Flink is pretty nice although `
> [hidden email]` can be used and the report will be forwarded to Flink
> private mailing list if there is no project specific security mailing
> list. One thing that is pretty sure is that we should guide users on how to
> report security issues in Flink website as security vulnerabilities should
> not be entered into a project's public bug tracker directly according to
> the guidance for how to handling the security vulnerabilities in ASF
> site[1].
>
> Besides, we need also add a security page in Flink which shows the
> information about the security vulnerabilities per the guidance of the
> security vulnerabilities in ASF site[2]. Projects such as spark[3],
> kafka[4], etc already have such a page.
>
> Best,Jincheng
>
> [1] https://www.apache.org/security/committers.html#vulnerability-handling
> [2] https://www.apache.org/security/committers.html#publishing-information
> [3] https://spark.apache.org/security.html
> [4] https://kafka.apache.org/cve-list
>
> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
>
> > Hi all,
> >
> > I'm reaching out to see if there is an existing security specific mailing
> > list in Flink. If there is, we should expose it in the offcial web site
> of
> > Flink [1] to guide people to report security issues to this mailing list.
> > If it still doesn't exist, I'm here to propose to setup a
> > [hidden email] mailing list for reporting and discussion of
> > security specific issues. Currently, most well known apache projects such
> > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc have a
> > security specific mailing list. It would be nice if there is also a
> > security specific mailing list for Flink.
> >
> > Note that users should report security issues to the security mailing
> > list.
> >
> > Looking forward to your feedback!
> >
> > Regards,
> > Dian
> >
> > [1] https://flink.apache.org/community.html
> > [2] https://commons.apache.org/mail-lists.html
> > [3] https://hadoop.apache.org/mailing_lists.html
> > [4] https://spark.apache.org/community.html
> > [5] https://kafka.apache.org/project-security.html
> > [6] https://hive.apache.org/mailing_lists.html
>

> Thanks Dian Fu for this proposal. +1 for creating security mail list. To be
> noticed, security mail list is private mail list, could not be subscribed
> publicly.
> FYI, apache member can create mail list using this self service tool
> https://selfserve.apache.org/
>
>
> jincheng sun <[hidden email]> 于2019年11月14日周四 下午12:25写道：
>
> > Hi Dian,
> >
> > Thanks a lot for bringing up this discussion. This is very important for
> > Flink community!
> >
> > I think setup a security mailing list for Flink is pretty nice although `
> > [hidden email]` can be used and the report will be forwarded to
> Flink
> > private mailing list if there is no project specific security mailing
> > list. One thing that is pretty sure is that we should guide users on how
> to
> > report security issues in Flink website as security vulnerabilities
> should
> > not be entered into a project's public bug tracker directly according to
> > the guidance for how to handling the security vulnerabilities in ASF
> > site[1].
> >
> > Besides, we need also add a security page in Flink which shows the
> > information about the security vulnerabilities per the guidance of the
> > security vulnerabilities in ASF site[2]. Projects such as spark[3],
> > kafka[4], etc already have such a page.
> >
> > Best,Jincheng
> >
> > [1]
> https://www.apache.org/security/committers.html#vulnerability-handling
> > [2]
> https://www.apache.org/security/committers.html#publishing-information
> > [3] https://spark.apache.org/security.html
> > [4] https://kafka.apache.org/cve-list
> >
> > Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
> >
> > > Hi all,
> > >
> > > I'm reaching out to see if there is an existing security specific
> mailing
> > > list in Flink. If there is, we should expose it in the offcial web site
> > of
> > > Flink [1] to guide people to report security issues to this mailing
> list.
> > > If it still doesn't exist, I'm here to propose to setup a
> > > [hidden email] mailing list for reporting and discussion of
> > > security specific issues. Currently, most well known apache projects
> such
> > > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc have a
> > > security specific mailing list. It would be nice if there is also a
> > > security specific mailing list for Flink.
> > >
> > > Note that users should report security issues to the security mailing
> > > list.
> > >
> > > Looking forward to your feedback!
> > >
> > > Regards,
> > > Dian
> > >
> > > [1] https://flink.apache.org/community.html
> > > [2] https://commons.apache.org/mail-lists.html
> > > [3] https://hadoop.apache.org/mailing_lists.html
> > > [4] https://spark.apache.org/community.html
> > > [5] https://kafka.apache.org/project-security.html
> > > [6] https://hive.apache.org/mailing_lists.html
> >
>
>
> --
> Best Regards
>
> Jeff Zhang
>

> Hi Dian,
>
> Good idea! +1 to have a security mailing list.
> It is nice for Flink to have an official procedure to handle security
> problems, e.g., reporting, addressing and publishing.
>
> Best, Hequn
>
> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]> wrote:
>
> > Thanks Dian Fu for this proposal. +1 for creating security mail list. To
> be
> > noticed, security mail list is private mail list, could not be subscribed
> > publicly.
> > FYI, apache member can create mail list using this self service tool
> > https://selfserve.apache.org/
> >
> >
> > jincheng sun <[hidden email]> 于2019年11月14日周四 下午12:25写道：
> >
> > > Hi Dian,
> > >
> > > Thanks a lot for bringing up this discussion. This is very important
> for
> > > Flink community!
> > >
> > > I think setup a security mailing list for Flink is pretty nice
> although `
> > > [hidden email]` can be used and the report will be forwarded to
> > Flink
> > > private mailing list if there is no project specific security mailing
> > > list. One thing that is pretty sure is that we should guide users on
> how
> > to
> > > report security issues in Flink website as security vulnerabilities
> > should
> > > not be entered into a project's public bug tracker directly according
> to
> > > the guidance for how to handling the security vulnerabilities in ASF
> > > site[1].
> > >
> > > Besides, we need also add a security page in Flink which shows the
> > > information about the security vulnerabilities per the guidance of the
> > > security vulnerabilities in ASF site[2]. Projects such as spark[3],
> > > kafka[4], etc already have such a page.
> > >
> > > Best,Jincheng
> > >
> > > [1]
> > https://www.apache.org/security/committers.html#vulnerability-handling
> > > [2]
> > https://www.apache.org/security/committers.html#publishing-information
> > > [3] https://spark.apache.org/security.html
> > > [4] https://kafka.apache.org/cve-list
> > >
> > > Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
> > >
> > > > Hi all,
> > > >
> > > > I'm reaching out to see if there is an existing security specific
> > mailing
> > > > list in Flink. If there is, we should expose it in the offcial web
> site
> > > of
> > > > Flink [1] to guide people to report security issues to this mailing
> > list.
> > > > If it still doesn't exist, I'm here to propose to setup a
> > > > [hidden email] mailing list for reporting and discussion
> of
> > > > security specific issues. Currently, most well known apache projects
> > such
> > > > as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
> have a
> > > > security specific mailing list. It would be nice if there is also a
> > > > security specific mailing list for Flink.
> > > >
> > > > Note that users should report security issues to the security mailing
> > > > list.
> > > >
> > > > Looking forward to your feedback!
> > > >
> > > > Regards,
> > > > Dian
> > > >
> > > > [1] https://flink.apache.org/community.html
> > > > [2] https://commons.apache.org/mail-lists.html
> > > > [3] https://hadoop.apache.org/mailing_lists.html
> > > > [4] https://spark.apache.org/community.html
> > > > [5] https://kafka.apache.org/project-security.html
> > > > [6] https://hive.apache.org/mailing_lists.html
> > >
> >
> >
> > --
> > Best Regards
> >
> > Jeff Zhang
> >
>

> Hi Dian,
>
> Good idea and +1 to setup security mailing list.
> Security vulnerabilities should not be publicly disclosed (e.g. via dev ML
> or JIRA) until the project has responded.
> However, AFAIK, Flink doesn't have an official process to
> report vulnerabilities.
> It would be nice to have one to protect Flink users and response security
> problems quickly.
>
> Btw, we may also need a dedicated page to describe the security
> vulnerabilities report process and CVE list on the website.
>
> Best,
> Jark
>
>
>
> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]> wrote:
>
>> Hi Dian,
>>
>> Good idea! +1 to have a security mailing list.
>> It is nice for Flink to have an official procedure to handle security
>> problems, e.g., reporting, addressing and publishing.
>>
>> Best, Hequn
>>
>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]> wrote:
>>
>>> Thanks Dian Fu for this proposal. +1 for creating security mail list. To
>> be
>>> noticed, security mail list is private mail list, could not be subscribed
>>> publicly.
>>> FYI, apache member can create mail list using this self service tool
>>> https://selfserve.apache.org/
>>>
>>>
>>> jincheng sun <[hidden email]> 于2019年11月14日周四 下午12:25写道：
>>>
>>>> Hi Dian,
>>>>
>>>> Thanks a lot for bringing up this discussion. This is very important
>> for
>>>> Flink community!
>>>>
>>>> I think setup a security mailing list for Flink is pretty nice
>> although `
>>>> [hidden email]` can be used and the report will be forwarded to
>>> Flink
>>>> private mailing list if there is no project specific security mailing
>>>> list. One thing that is pretty sure is that we should guide users on
>> how
>>> to
>>>> report security issues in Flink website as security vulnerabilities
>>> should
>>>> not be entered into a project's public bug tracker directly according
>> to
>>>> the guidance for how to handling the security vulnerabilities in ASF
>>>> site[1].
>>>>
>>>> Besides, we need also add a security page in Flink which shows the
>>>> information about the security vulnerabilities per the guidance of the
>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3],
>>>> kafka[4], etc already have such a page.
>>>>
>>>> Best,Jincheng
>>>>
>>>> [1]
>>> https://www.apache.org/security/committers.html#vulnerability-handling
>>>> [2]
>>> https://www.apache.org/security/committers.html#publishing-information
>>>> [3] https://spark.apache.org/security.html
>>>> [4] https://kafka.apache.org/cve-list
>>>>
>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm reaching out to see if there is an existing security specific
>>> mailing
>>>>> list in Flink. If there is, we should expose it in the offcial web
>> site
>>>> of
>>>>> Flink [1] to guide people to report security issues to this mailing
>>> list.
>>>>> If it still doesn't exist, I'm here to propose to setup a
>>>>> [hidden email] mailing list for reporting and discussion
>> of
>>>>> security specific issues. Currently, most well known apache projects
>>> such
>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
>> have a
>>>>> security specific mailing list. It would be nice if there is also a
>>>>> security specific mailing list for Flink.
>>>>>
>>>>> Note that users should report security issues to the security mailing
>>>>> list.
>>>>>
>>>>> Looking forward to your feedback!
>>>>>
>>>>> Regards,
>>>>> Dian
>>>>>
>>>>> [1] https://flink.apache.org/community.html
>>>>> [2] https://commons.apache.org/mail-lists.html
>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>>>>> [4] https://spark.apache.org/community.html
>>>>> [5] https://kafka.apache.org/project-security.html
>>>>> [6] https://hive.apache.org/mailing_lists.html
>>>
>>> --
>>> Best Regards
>>>
>>> Jeff Zhang
>>>

> AFAIK, the official way to report vulnerabilities in any apache
> project is to write to [hidden email] and/or notify the
> respective PMC. So far, we had several reports that went this route,
> hence I'm not convinced that an additional ML is required.
>
> I would be fine with an additional paragraph somewhere outlining this
> though.
>
> On 14/11/2019 06:57, Jark Wu wrote:
>> Hi Dian,
>>
>> Good idea and +1 to setup security mailing list.
>> Security vulnerabilities should not be publicly disclosed (e.g. via
>> dev ML
>> or JIRA) until the project has responded.
>> However, AFAIK, Flink doesn't have an official process to
>> report vulnerabilities.
>> It would be nice to have one to protect Flink users and response
>> security
>> problems quickly.
>>
>> Btw, we may also need a dedicated page to describe the security
>> vulnerabilities report process and CVE list on the website.
>>
>> Best,
>> Jark
>>
>>
>>
>> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]> wrote:
>>
>>> Hi Dian,
>>>
>>> Good idea! +1 to have a security mailing list.
>>> It is nice for Flink to have an official procedure to handle security
>>> problems, e.g., reporting, addressing and publishing.
>>>
>>> Best, Hequn
>>>
>>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]> wrote:
>>>
>>>> Thanks Dian Fu for this proposal. +1 for creating security mail
>>>> list. To
>>> be
>>>> noticed, security mail list is private mail list, could not be
>>>> subscribed
>>>> publicly.
>>>> FYI, apache member can create mail list using this self service tool
>>>> https://selfserve.apache.org/
>>>>
>>>>
>>>> jincheng sun <[hidden email]> 于2019年11月14日周四
>>>> 下午12:25写道：
>>>>
>>>>> Hi Dian,
>>>>>
>>>>> Thanks a lot for bringing up this discussion. This is very important
>>> for
>>>>> Flink community!
>>>>>
>>>>> I think setup a security mailing list for Flink is pretty nice
>>> although `
>>>>> [hidden email]` can be used and the report will be forwarded to
>>>> Flink
>>>>> private mailing list if there is no project specific security mailing
>>>>> list. One thing that is pretty sure is that we should guide users on
>>> how
>>>> to
>>>>> report security issues in Flink website as security vulnerabilities
>>>> should
>>>>> not be entered into a project's public bug tracker directly according
>>> to
>>>>> the guidance for how to handling the security vulnerabilities in ASF
>>>>> site[1].
>>>>>
>>>>> Besides, we need also add a security page in Flink which shows the
>>>>> information about the security vulnerabilities per the guidance of
>>>>> the
>>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3],
>>>>> kafka[4], etc already have such a page.
>>>>>
>>>>> Best,Jincheng
>>>>>
>>>>> [1]
>>>> https://www.apache.org/security/committers.html#vulnerability-handling
>>>>> [2]
>>>> https://www.apache.org/security/committers.html#publishing-information
>>>>> [3] https://spark.apache.org/security.html
>>>>> [4] https://kafka.apache.org/cve-list
>>>>>
>>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm reaching out to see if there is an existing security specific
>>>> mailing
>>>>>> list in Flink. If there is, we should expose it in the offcial web
>>> site
>>>>> of
>>>>>> Flink [1] to guide people to report security issues to this mailing
>>>> list.
>>>>>> If it still doesn't exist, I'm here to propose to setup a
>>>>>> [hidden email] mailing list for reporting and discussion
>>> of
>>>>>> security specific issues. Currently, most well known apache projects
>>>> such
>>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
>>> have a
>>>>>> security specific mailing list. It would be nice if there is also a
>>>>>> security specific mailing list for Flink.
>>>>>>
>>>>>> Note that users should report security issues to the security
>>>>>> mailing
>>>>>> list.
>>>>>>
>>>>>> Looking forward to your feedback!
>>>>>>
>>>>>> Regards,
>>>>>> Dian
>>>>>>
>>>>>> [1] https://flink.apache.org/community.html
>>>>>> [2] https://commons.apache.org/mail-lists.html
>>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>>>>>> [4] https://spark.apache.org/community.html
>>>>>> [5] https://kafka.apache.org/project-security.html
>>>>>> [6] https://hive.apache.org/mailing_lists.html
>>>>
>>>> --
>>>> Best Regards
>>>>
>>>> Jeff Zhang
>>>>
>
>

> Source: https://www.apache.org/security/
>
> Now, we can of course setup such a mailing list (as outlined here
> https://www.apache.org/security/committers.html), but I'm not sure if it
> is necessary since the number of reports is _really_ low.
>
> On 14/11/2019 11:03, Chesnay Schepler wrote:
> > AFAIK, the official way to report vulnerabilities in any apache
> > project is to write to [hidden email] and/or notify the
> > respective PMC. So far, we had several reports that went this route,
> > hence I'm not convinced that an additional ML is required.
> >
> > I would be fine with an additional paragraph somewhere outlining this
> > though.
> >
> > On 14/11/2019 06:57, Jark Wu wrote:
> >> Hi Dian,
> >>
> >> Good idea and +1 to setup security mailing list.
> >> Security vulnerabilities should not be publicly disclosed (e.g. via
> >> dev ML
> >> or JIRA) until the project has responded.
> >> However, AFAIK, Flink doesn't have an official process to
> >> report vulnerabilities.
> >> It would be nice to have one to protect Flink users and response
> >> security
> >> problems quickly.
> >>
> >> Btw, we may also need a dedicated page to describe the security
> >> vulnerabilities report process and CVE list on the website.
> >>
> >> Best,
> >> Jark
> >>
> >>
> >>
> >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]> wrote:
> >>
> >>> Hi Dian,
> >>>
> >>> Good idea! +1 to have a security mailing list.
> >>> It is nice for Flink to have an official procedure to handle security
> >>> problems, e.g., reporting, addressing and publishing.
> >>>
> >>> Best, Hequn
> >>>
> >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]> wrote:
> >>>
> >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
> >>>> list. To
> >>> be
> >>>> noticed, security mail list is private mail list, could not be
> >>>> subscribed
> >>>> publicly.
> >>>> FYI, apache member can create mail list using this self service tool
> >>>> https://selfserve.apache.org/
> >>>>
> >>>>
> >>>> jincheng sun <[hidden email]> 于2019年11月14日周四
> >>>> 下午12:25写道：
> >>>>
> >>>>> Hi Dian,
> >>>>>
> >>>>> Thanks a lot for bringing up this discussion. This is very important
> >>> for
> >>>>> Flink community!
> >>>>>
> >>>>> I think setup a security mailing list for Flink is pretty nice
> >>> although `
> >>>>> [hidden email]` can be used and the report will be forwarded to
> >>>> Flink
> >>>>> private mailing list if there is no project specific security mailing
> >>>>> list. One thing that is pretty sure is that we should guide users on
> >>> how
> >>>> to
> >>>>> report security issues in Flink website as security vulnerabilities
> >>>> should
> >>>>> not be entered into a project's public bug tracker directly according
> >>> to
> >>>>> the guidance for how to handling the security vulnerabilities in ASF
> >>>>> site[1].
> >>>>>
> >>>>> Besides, we need also add a security page in Flink which shows the
> >>>>> information about the security vulnerabilities per the guidance of
> >>>>> the
> >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3],
> >>>>> kafka[4], etc already have such a page.
> >>>>>
> >>>>> Best,Jincheng
> >>>>>
> >>>>> [1]
> >>>>
> https://www.apache.org/security/committers.html#vulnerability-handling
> >>>>> [2]
> >>>>
> https://www.apache.org/security/committers.html#publishing-information
> >>>>> [3] https://spark.apache.org/security.html
> >>>>> [4] https://kafka.apache.org/cve-list
> >>>>>
> >>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
> >>>>>
> >>>>>> Hi all,
> >>>>>>
> >>>>>> I'm reaching out to see if there is an existing security specific
> >>>> mailing
> >>>>>> list in Flink. If there is, we should expose it in the offcial web
> >>> site
> >>>>> of
> >>>>>> Flink [1] to guide people to report security issues to this mailing
> >>>> list.
> >>>>>> If it still doesn't exist, I'm here to propose to setup a
> >>>>>> [hidden email] mailing list for reporting and discussion
> >>> of
> >>>>>> security specific issues. Currently, most well known apache projects
> >>>> such
> >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
> >>> have a
> >>>>>> security specific mailing list. It would be nice if there is also a
> >>>>>> security specific mailing list for Flink.
> >>>>>>
> >>>>>> Note that users should report security issues to the security
> >>>>>> mailing
> >>>>>> list.
> >>>>>>
> >>>>>> Looking forward to your feedback!
> >>>>>>
> >>>>>> Regards,
> >>>>>> Dian
> >>>>>>
> >>>>>> [1] https://flink.apache.org/community.html
> >>>>>> [2] https://commons.apache.org/mail-lists.html
> >>>>>> [3] https://hadoop.apache.org/mailing_lists.html
> >>>>>> [4] https://spark.apache.org/community.html
> >>>>>> [5] https://kafka.apache.org/project-security.html
> >>>>>> [6] https://hive.apache.org/mailing_lists.html
> >>>>
> >>>> --
> >>>> Best Regards
> >>>>
> >>>> Jeff Zhang
> >>>>
> >
> >
>
>

> Thanks for bringing up this discussion Dian! How to report security bugs to
> our project is a very important topic!
>
> Big +1 on adding some explicit instructions in our document about how to
> report security issues, and I suggest to open another thread to vote the
> reporting way in Flink.
>
> FWIW, known options to report security issues include:
> 1. Set up [hidden email] and ask users to report security
> issues
> there
> 2. Ask users to send security report to [hidden email]
> 3. Ask users to send security report directly to [hidden email]
>
> More details:
>
> Descriptions on http://apache.org/security/:
> *============================================*
>
> *We strongly encourage folks to report security vulnerabilities to one of
> our private security mailing lists first, before disclosing them in a
> public forum.*
>
> *A list of security contacts for Apache projects
> <http://apache.org/security/projects.html> is available. If you can't find
> a project specific security e-mail address and you have an undisclosed
> security vulnerability to report then please use the general security
> address below.*
>
>
> *The general security mailing list address is: [hidden email]
> <[hidden email]>. This is a private mailing list.*
> *============================================*
>
> There are also projects directly using private@ mailing list to report
> security issues such as HBase (as documented at the very beginning in its
> online ref-guide book here <http://hbase.apache.org/book.html#_preface>).
>
> Hope these information helps. Thanks.
>
> Best Regards,
> Yu
>
>
> On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[hidden email]> wrote:
>
> > Source: https://www.apache.org/security/
> >
> > Now, we can of course setup such a mailing list (as outlined here
> > https://www.apache.org/security/committers.html), but I'm not sure if it
> > is necessary since the number of reports is _really_ low.
> >
> > On 14/11/2019 11:03, Chesnay Schepler wrote:
> > > AFAIK, the official way to report vulnerabilities in any apache
> > > project is to write to [hidden email] and/or notify the
> > > respective PMC. So far, we had several reports that went this route,
> > > hence I'm not convinced that an additional ML is required.
> > >
> > > I would be fine with an additional paragraph somewhere outlining this
> > > though.
> > >
> > > On 14/11/2019 06:57, Jark Wu wrote:
> > >> Hi Dian,
> > >>
> > >> Good idea and +1 to setup security mailing list.
> > >> Security vulnerabilities should not be publicly disclosed (e.g. via
> > >> dev ML
> > >> or JIRA) until the project has responded.
> > >> However, AFAIK, Flink doesn't have an official process to
> > >> report vulnerabilities.
> > >> It would be nice to have one to protect Flink users and response
> > >> security
> > >> problems quickly.
> > >>
> > >> Btw, we may also need a dedicated page to describe the security
> > >> vulnerabilities report process and CVE list on the website.
> > >>
> > >> Best,
> > >> Jark
> > >>
> > >>
> > >>
> > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]>
> wrote:
> > >>
> > >>> Hi Dian,
> > >>>
> > >>> Good idea! +1 to have a security mailing list.
> > >>> It is nice for Flink to have an official procedure to handle security
> > >>> problems, e.g., reporting, addressing and publishing.
> > >>>
> > >>> Best, Hequn
> > >>>
> > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]> wrote:
> > >>>
> > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
> > >>>> list. To
> > >>> be
> > >>>> noticed, security mail list is private mail list, could not be
> > >>>> subscribed
> > >>>> publicly.
> > >>>> FYI, apache member can create mail list using this self service tool
> > >>>> https://selfserve.apache.org/
> > >>>>
> > >>>>
> > >>>> jincheng sun <[hidden email]> 于2019年11月14日周四
> > >>>> 下午12:25写道：
> > >>>>
> > >>>>> Hi Dian,
> > >>>>>
> > >>>>> Thanks a lot for bringing up this discussion. This is very
> important
> > >>> for
> > >>>>> Flink community!
> > >>>>>
> > >>>>> I think setup a security mailing list for Flink is pretty nice
> > >>> although `
> > >>>>> [hidden email]` can be used and the report will be forwarded
> to
> > >>>> Flink
> > >>>>> private mailing list if there is no project specific security
> mailing
> > >>>>> list. One thing that is pretty sure is that we should guide users
> on
> > >>> how
> > >>>> to
> > >>>>> report security issues in Flink website as security vulnerabilities
> > >>>> should
> > >>>>> not be entered into a project's public bug tracker directly
> according
> > >>> to
> > >>>>> the guidance for how to handling the security vulnerabilities in
> ASF
> > >>>>> site[1].
> > >>>>>
> > >>>>> Besides, we need also add a security page in Flink which shows the
> > >>>>> information about the security vulnerabilities per the guidance of
> > >>>>> the
> > >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3],
> > >>>>> kafka[4], etc already have such a page.
> > >>>>>
> > >>>>> Best,Jincheng
> > >>>>>
> > >>>>> [1]
> > >>>>
> > https://www.apache.org/security/committers.html#vulnerability-handling
> > >>>>> [2]
> > >>>>
> > https://www.apache.org/security/committers.html#publishing-information
> > >>>>> [3] https://spark.apache.org/security.html
> > >>>>> [4] https://kafka.apache.org/cve-list
> > >>>>>
> > >>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
> > >>>>>
> > >>>>>> Hi all,
> > >>>>>>
> > >>>>>> I'm reaching out to see if there is an existing security specific
> > >>>> mailing
> > >>>>>> list in Flink. If there is, we should expose it in the offcial web
> > >>> site
> > >>>>> of
> > >>>>>> Flink [1] to guide people to report security issues to this
> mailing
> > >>>> list.
> > >>>>>> If it still doesn't exist, I'm here to propose to setup a
> > >>>>>> [hidden email] mailing list for reporting and
> discussion
> > >>> of
> > >>>>>> security specific issues. Currently, most well known apache
> projects
> > >>>> such
> > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
> > >>> have a
> > >>>>>> security specific mailing list. It would be nice if there is also
> a
> > >>>>>> security specific mailing list for Flink.
> > >>>>>>
> > >>>>>> Note that users should report security issues to the security
> > >>>>>> mailing
> > >>>>>> list.
> > >>>>>>
> > >>>>>> Looking forward to your feedback!
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Dian
> > >>>>>>
> > >>>>>> [1] https://flink.apache.org/community.html
> > >>>>>> [2] https://commons.apache.org/mail-lists.html
> > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html
> > >>>>>> [4] https://spark.apache.org/community.html
> > >>>>>> [5] https://kafka.apache.org/project-security.html
> > >>>>>> [6] https://hive.apache.org/mailing_lists.html
> > >>>>
> > >>>> --
> > >>>> Best Regards
> > >>>>
> > >>>> Jeff Zhang
> > >>>>
> > >
> > >
> >
> >
>

> Thanks for bringing this up, Dian.
>
> +1 on creating a project specific security mailing list. My two cents, I
> think it is worth doing in practice.
>
> Although the ASF security ML is always available, usually all the emails
> are simply routed to the individual project PMC. This is an additional hop.
> And in some cases, the best person to address the reported issue may not be
> a PMC member, but a committer, so the PMC have to again involve them into
> the loop. This make things unnecessarily complicated. Having a project
> specific security ML would make it much easier to have everyone at the same
> table.
>
> Also, one thing to note is that even though the security issues are usually
> rare, they could be devastating, thus need to be treated seriously. So I
> think it is a good idea to establish the handling mechanism regardless of
> the frequency of the reported security vulnerabilities.
>
> Thanks,
>
> Jiangjie (Becket) Qin
>
> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <[hidden email]> wrote:
>
> > Thanks for bringing up this discussion Dian! How to report security bugs
> to
> > our project is a very important topic!
> >
> > Big +1 on adding some explicit instructions in our document about how to
> > report security issues, and I suggest to open another thread to vote the
> > reporting way in Flink.
> >
> > FWIW, known options to report security issues include:
> > 1. Set up [hidden email] and ask users to report security
> > issues
> > there
> > 2. Ask users to send security report to [hidden email]
> > 3. Ask users to send security report directly to
> [hidden email]
> >
> > More details:
> >
> > Descriptions on http://apache.org/security/:
> > *============================================*
> >
> > *We strongly encourage folks to report security vulnerabilities to one of
> > our private security mailing lists first, before disclosing them in a
> > public forum.*
> >
> > *A list of security contacts for Apache projects
> > <http://apache.org/security/projects.html> is available. If you can't
> find
> > a project specific security e-mail address and you have an undisclosed
> > security vulnerability to report then please use the general security
> > address below.*
> >
> >
> > *The general security mailing list address is: [hidden email]
> > <[hidden email]>. This is a private mailing list.*
> > *============================================*
> >
> > There are also projects directly using private@ mailing list to report
> > security issues such as HBase (as documented at the very beginning in its
> > online ref-guide book here <http://hbase.apache.org/book.html#_preface
> >).
> >
> > Hope these information helps. Thanks.
> >
> > Best Regards,
> > Yu
> >
> >
> > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[hidden email]>
> wrote:
> >
> > > Source: https://www.apache.org/security/
> > >
> > > Now, we can of course setup such a mailing list (as outlined here
> > > https://www.apache.org/security/committers.html), but I'm not sure if
> it
> > > is necessary since the number of reports is _really_ low.
> > >
> > > On 14/11/2019 11:03, Chesnay Schepler wrote:
> > > > AFAIK, the official way to report vulnerabilities in any apache
> > > > project is to write to [hidden email] and/or notify the
> > > > respective PMC. So far, we had several reports that went this route,
> > > > hence I'm not convinced that an additional ML is required.
> > > >
> > > > I would be fine with an additional paragraph somewhere outlining this
> > > > though.
> > > >
> > > > On 14/11/2019 06:57, Jark Wu wrote:
> > > >> Hi Dian,
> > > >>
> > > >> Good idea and +1 to setup security mailing list.
> > > >> Security vulnerabilities should not be publicly disclosed (e.g. via
> > > >> dev ML
> > > >> or JIRA) until the project has responded.
> > > >> However, AFAIK, Flink doesn't have an official process to
> > > >> report vulnerabilities.
> > > >> It would be nice to have one to protect Flink users and response
> > > >> security
> > > >> problems quickly.
> > > >>
> > > >> Btw, we may also need a dedicated page to describe the security
> > > >> vulnerabilities report process and CVE list on the website.
> > > >>
> > > >> Best,
> > > >> Jark
> > > >>
> > > >>
> > > >>
> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]>
> > wrote:
> > > >>
> > > >>> Hi Dian,
> > > >>>
> > > >>> Good idea! +1 to have a security mailing list.
> > > >>> It is nice for Flink to have an official procedure to handle
> security
> > > >>> problems, e.g., reporting, addressing and publishing.
> > > >>>
> > > >>> Best, Hequn
> > > >>>
> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]>
> wrote:
> > > >>>
> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
> > > >>>> list. To
> > > >>> be
> > > >>>> noticed, security mail list is private mail list, could not be
> > > >>>> subscribed
> > > >>>> publicly.
> > > >>>> FYI, apache member can create mail list using this self service
> tool
> > > >>>> https://selfserve.apache.org/
> > > >>>>
> > > >>>>
> > > >>>> jincheng sun <[hidden email]> 于2019年11月14日周四
> > > >>>> 下午12:25写道：
> > > >>>>
> > > >>>>> Hi Dian,
> > > >>>>>
> > > >>>>> Thanks a lot for bringing up this discussion. This is very
> > important
> > > >>> for
> > > >>>>> Flink community!
> > > >>>>>
> > > >>>>> I think setup a security mailing list for Flink is pretty nice
> > > >>> although `
> > > >>>>> [hidden email]` can be used and the report will be
> forwarded
> > to
> > > >>>> Flink
> > > >>>>> private mailing list if there is no project specific security
> > mailing
> > > >>>>> list. One thing that is pretty sure is that we should guide users
> > on
> > > >>> how
> > > >>>> to
> > > >>>>> report security issues in Flink website as security
> vulnerabilities
> > > >>>> should
> > > >>>>> not be entered into a project's public bug tracker directly
> > according
> > > >>> to
> > > >>>>> the guidance for how to handling the security vulnerabilities in
> > ASF
> > > >>>>> site[1].
> > > >>>>>
> > > >>>>> Besides, we need also add a security page in Flink which shows
> the
> > > >>>>> information about the security vulnerabilities per the guidance
> of
> > > >>>>> the
> > > >>>>> security vulnerabilities in ASF site[2]. Projects such as
> spark[3],
> > > >>>>> kafka[4], etc already have such a page.
> > > >>>>>
> > > >>>>> Best,Jincheng
> > > >>>>>
> > > >>>>> [1]
> > > >>>>
> > > https://www.apache.org/security/committers.html#vulnerability-handling
> > > >>>>> [2]
> > > >>>>
> > > https://www.apache.org/security/committers.html#publishing-information
> > > >>>>> [3] https://spark.apache.org/security.html
> > > >>>>> [4] https://kafka.apache.org/cve-list
> > > >>>>>
> > > >>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
> > > >>>>>
> > > >>>>>> Hi all,
> > > >>>>>>
> > > >>>>>> I'm reaching out to see if there is an existing security
> specific
> > > >>>> mailing
> > > >>>>>> list in Flink. If there is, we should expose it in the offcial
> web
> > > >>> site
> > > >>>>> of
> > > >>>>>> Flink [1] to guide people to report security issues to this
> > mailing
> > > >>>> list.
> > > >>>>>> If it still doesn't exist, I'm here to propose to setup a
> > > >>>>>> [hidden email] mailing list for reporting and
> > discussion
> > > >>> of
> > > >>>>>> security specific issues. Currently, most well known apache
> > projects
> > > >>>> such
> > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
> > > >>> have a
> > > >>>>>> security specific mailing list. It would be nice if there is
> also
> > a
> > > >>>>>> security specific mailing list for Flink.
> > > >>>>>>
> > > >>>>>> Note that users should report security issues to the security
> > > >>>>>> mailing
> > > >>>>>> list.
> > > >>>>>>
> > > >>>>>> Looking forward to your feedback!
> > > >>>>>>
> > > >>>>>> Regards,
> > > >>>>>> Dian
> > > >>>>>>
> > > >>>>>> [1] https://flink.apache.org/community.html
> > > >>>>>> [2] https://commons.apache.org/mail-lists.html
> > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html
> > > >>>>>> [4] https://spark.apache.org/community.html
> > > >>>>>> [5] https://kafka.apache.org/project-security.html
> > > >>>>>> [6] https://hive.apache.org/mailing_lists.html
> > > >>>>
> > > >>>> --
> > > >>>> Best Regards
> > > >>>>
> > > >>>> Jeff Zhang
> > > >>>>
> > > >
> > > >
> > >
> > >
> >
>

> 在 2019年11月19日，下午6:06，Dian Fu <[hidden email]> 写道：
>
> Hi all,
>
> Thanks for sharing your thoughts. Appreciated! Let me try to summarize the information and thoughts received so far. Please feel free to let me know if there is anything wrong or missing.
>
> 1. Setup project specific security mailing list
> Pros:
> - The security reports received by [hidden email] <mailto:[hidden email]> will be forwarded to the project private(PMC) mailing list. Having a project specific security mailing list is helpful in cases when the best person to address the security issue is not a PMC member, but a committer. It makes things simple as everyone(both PMCs and committers) is on the same table.
> - Even though the security issues are usually rare, they could be devastating and thus need to be treated seriously.
> - Most notable apache projects such as apache common, hadoop, spark, kafka, hive, etc have a security specific mailing list.
>
> Cons:
> - The ASF security mailing list [hidden email] <mailto:[hidden email]> could be used if there is no project specific security mailing list.
> - The number of security reports is very low.
>
> Additional information:
> - Security mailing list could only be subscribed by PMCs and committers. However everyone could report security issues to the security mailing list.
>
>
> 2. Guide users to report the security issues
> Why:
> - Security vulnerabilities should not be publicly disclosed (e.g. via dev ML or JIRA) until the project has responded. We should guide users on how to report security issues in Flink website.
>
> How:
> - Option 1: Set up [hidden email] <mailto:[hidden email]> and ask users to report security issues there
> - Option 2: Ask users to send security report to [hidden email] <mailto:[hidden email]>
> - Option 3: Ask users to send security report directly to [hidden email] <mailto:[hidden email]>
>
>
> 3. Dedicated page to show the security vulnerabilities
> - We may need a dedicated security page to describe the CVE list on the Flink website.
>
> I think it makes sense to open separate discussion thread on 2) and 3). I'll create separate discussion thread for them. Let's focus on 1) in this thread.
>
> If there is no other feedback on 1), I'll bring up a VOTE for this discussion.
>
> What do you think?
>
> Thanks,
> Dian
>
> On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <[hidden email] <mailto:[hidden email]>> wrote:
> Thanks for bringing this up, Dian.
>
> +1 on creating a project specific security mailing list. My two cents, I
> think it is worth doing in practice.
>
> Although the ASF security ML is always available, usually all the emails
> are simply routed to the individual project PMC. This is an additional hop.
> And in some cases, the best person to address the reported issue may not be
> a PMC member, but a committer, so the PMC have to again involve them into
> the loop. This make things unnecessarily complicated. Having a project
> specific security ML would make it much easier to have everyone at the same
> table.
>
> Also, one thing to note is that even though the security issues are usually
> rare, they could be devastating, thus need to be treated seriously. So I
> think it is a good idea to establish the handling mechanism regardless of
> the frequency of the reported security vulnerabilities.
>
> Thanks,
>
> Jiangjie (Becket) Qin
>
> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <[hidden email] <mailto:[hidden email]>> wrote:
>
> > Thanks for bringing up this discussion Dian! How to report security bugs to
> > our project is a very important topic!
> >
> > Big +1 on adding some explicit instructions in our document about how to
> > report security issues, and I suggest to open another thread to vote the
> > reporting way in Flink.
> >
> > FWIW, known options to report security issues include:
> > 1. Set up [hidden email] <mailto:[hidden email]> and ask users to report security
> > issues
> > there
> > 2. Ask users to send security report to [hidden email] <mailto:[hidden email]>
> > 3. Ask users to send security report directly to [hidden email] <mailto:[hidden email]>
> >
> > More details:
> >
> > Descriptions on http://apache.org/security/ <http://apache.org/security/>:
> > *============================================*
> >
> > *We strongly encourage folks to report security vulnerabilities to one of
> > our private security mailing lists first, before disclosing them in a
> > public forum.*
> >
> > *A list of security contacts for Apache projects
> > <http://apache.org/security/projects.html <http://apache.org/security/projects.html>> is available. If you can't find
> > a project specific security e-mail address and you have an undisclosed
> > security vulnerability to report then please use the general security
> > address below.*
> >
> >
> > *The general security mailing list address is: [hidden email] <mailto:[hidden email]>
> > <[hidden email] <mailto:[hidden email]>>. This is a private mailing list.*
> > *============================================*
> >
> > There are also projects directly using private@ mailing list to report
> > security issues such as HBase (as documented at the very beginning in its
> > online ref-guide book here <http://hbase.apache.org/book.html#_preface <http://hbase.apache.org/book.html#_preface>>).
> >
> > Hope these information helps. Thanks.
> >
> > Best Regards,
> > Yu
> >
> >
> > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[hidden email] <mailto:[hidden email]>> wrote:
> >
> > > Source: https://www.apache.org/security/ <https://www.apache.org/security/>
> > >
> > > Now, we can of course setup such a mailing list (as outlined here
> > > https://www.apache.org/security/committers.html <https://www.apache.org/security/committers.html>), but I'm not sure if it
> > > is necessary since the number of reports is _really_ low.
> > >
> > > On 14/11/2019 11:03, Chesnay Schepler wrote:
> > > > AFAIK, the official way to report vulnerabilities in any apache
> > > > project is to write to [hidden email] <mailto:[hidden email]> and/or notify the
> > > > respective PMC. So far, we had several reports that went this route,
> > > > hence I'm not convinced that an additional ML is required.
> > > >
> > > > I would be fine with an additional paragraph somewhere outlining this
> > > > though.
> > > >
> > > > On 14/11/2019 06:57, Jark Wu wrote:
> > > >> Hi Dian,
> > > >>
> > > >> Good idea and +1 to setup security mailing list.
> > > >> Security vulnerabilities should not be publicly disclosed (e.g. via
> > > >> dev ML
> > > >> or JIRA) until the project has responded.
> > > >> However, AFAIK, Flink doesn't have an official process to
> > > >> report vulnerabilities.
> > > >> It would be nice to have one to protect Flink users and response
> > > >> security
> > > >> problems quickly.
> > > >>
> > > >> Btw, we may also need a dedicated page to describe the security
> > > >> vulnerabilities report process and CVE list on the website.
> > > >>
> > > >> Best,
> > > >> Jark
> > > >>
> > > >>
> > > >>
> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email] <mailto:[hidden email]>>
> > wrote:
> > > >>
> > > >>> Hi Dian,
> > > >>>
> > > >>> Good idea! +1 to have a security mailing list.
> > > >>> It is nice for Flink to have an official procedure to handle security
> > > >>> problems, e.g., reporting, addressing and publishing.
> > > >>>
> > > >>> Best, Hequn
> > > >>>
> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email] <mailto:[hidden email]>> wrote:
> > > >>>
> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
> > > >>>> list. To
> > > >>> be
> > > >>>> noticed, security mail list is private mail list, could not be
> > > >>>> subscribed
> > > >>>> publicly.
> > > >>>> FYI, apache member can create mail list using this self service tool
> > > >>>> https://selfserve.apache.org/ <https://selfserve.apache.org/>
> > > >>>>
> > > >>>>
> > > >>>> jincheng sun <[hidden email] <mailto:[hidden email]>> 于2019年11月14日周四
> > > >>>> 下午12:25写道：
> > > >>>>
> > > >>>>> Hi Dian,
> > > >>>>>
> > > >>>>> Thanks a lot for bringing up this discussion. This is very
> > important
> > > >>> for
> > > >>>>> Flink community!
> > > >>>>>
> > > >>>>> I think setup a security mailing list for Flink is pretty nice
> > > >>> although `
> > > >>>>> [hidden email] <mailto:[hidden email]>` can be used and the report will be forwarded
> > to
> > > >>>> Flink
> > > >>>>> private mailing list if there is no project specific security
> > mailing
> > > >>>>> list. One thing that is pretty sure is that we should guide users
> > on
> > > >>> how
> > > >>>> to
> > > >>>>> report security issues in Flink website as security vulnerabilities
> > > >>>> should
> > > >>>>> not be entered into a project's public bug tracker directly
> > according
> > > >>> to
> > > >>>>> the guidance for how to handling the security vulnerabilities in
> > ASF
> > > >>>>> site[1].
> > > >>>>>
> > > >>>>> Besides, we need also add a security page in Flink which shows the
> > > >>>>> information about the security vulnerabilities per the guidance of
> > > >>>>> the
> > > >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3],
> > > >>>>> kafka[4], etc already have such a page.
> > > >>>>>
> > > >>>>> Best,Jincheng
> > > >>>>>
> > > >>>>> [1]
> > > >>>>
> > > https://www.apache.org/security/committers.html#vulnerability-handling <https://www.apache.org/security/committers.html#vulnerability-handling>
> > > >>>>> [2]
> > > >>>>
> > > https://www.apache.org/security/committers.html#publishing-information <https://www.apache.org/security/committers.html#publishing-information>
> > > >>>>> [3] https://spark.apache.org/security.html <https://spark.apache.org/security.html>
> > > >>>>> [4] https://kafka.apache.org/cve-list <https://kafka.apache.org/cve-list>
> > > >>>>>
> > > >>>>> Dian Fu <[hidden email] <mailto:[hidden email]>> 于2019年11月14日周四 下午12:12写道：
> > > >>>>>
> > > >>>>>> Hi all,
> > > >>>>>>
> > > >>>>>> I'm reaching out to see if there is an existing security specific
> > > >>>> mailing
> > > >>>>>> list in Flink. If there is, we should expose it in the offcial web
> > > >>> site
> > > >>>>> of
> > > >>>>>> Flink [1] to guide people to report security issues to this
> > mailing
> > > >>>> list.
> > > >>>>>> If it still doesn't exist, I'm here to propose to setup a
> > > >>>>>> [hidden email] <mailto:[hidden email]> mailing list for reporting and
> > discussion
> > > >>> of
> > > >>>>>> security specific issues. Currently, most well known apache
> > projects
> > > >>>> such
> > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
> > > >>> have a
> > > >>>>>> security specific mailing list. It would be nice if there is also
> > a
> > > >>>>>> security specific mailing list for Flink.
> > > >>>>>>
> > > >>>>>> Note that users should report security issues to the security
> > > >>>>>> mailing
> > > >>>>>> list.
> > > >>>>>>
> > > >>>>>> Looking forward to your feedback!
> > > >>>>>>
> > > >>>>>> Regards,
> > > >>>>>> Dian
> > > >>>>>>
> > > >>>>>> [1] https://flink.apache.org/community.html <https://flink.apache.org/community.html>
> > > >>>>>> [2] https://commons.apache.org/mail-lists.html <https://commons.apache.org/mail-lists.html>
> > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html <https://hadoop.apache.org/mailing_lists.html>
> > > >>>>>> [4] https://spark.apache.org/community.html <https://spark.apache.org/community.html>
> > > >>>>>> [5] https://kafka.apache.org/project-security.html <https://kafka.apache.org/project-security.html>
> > > >>>>>> [6] https://hive.apache.org/mailing_lists.html <https://hive.apache.org/mailing_lists.html>
> > > >>>>
> > > >>>> --
> > > >>>> Best Regards
> > > >>>>
> > > >>>> Jeff Zhang
> > > >>>>
> > > >
> > > >
> > >
> > >
> >

> Hi all,
>
> There are no new feedbacks and it seems that we have received enough
> feedback about setup a [hidden email] mailing list[1] for
> security report and discussion. It shows that it's optional as we can use
> either [hidden email] or [hidden email]. So I'd like to
> start the vote for setup a [hidden email] mailing list to make
> the final decision.
>
> Thanks,
> Dian
>
> 在 2019年11月19日，下午6:06，Dian Fu <[hidden email]> 写道：
>
> Hi all,
>
> Thanks for sharing your thoughts. Appreciated! Let me try to summarize the
> information and thoughts received so far. Please feel free to let me know
> if there is anything wrong or missing.
>
> 1. Setup project specific security mailing list
> Pros:
> - The security reports received by [hidden email] will be forwarded
> to the project private(PMC) mailing list. Having a project specific
> security mailing list is helpful in cases when the best person to address
> the security issue is not a PMC member, but a committer. It makes things
> simple as everyone(both PMCs and committers) is on the same table.
> - Even though the security issues are usually rare, they could be
> devastating and thus need to be treated seriously.
> - Most notable apache projects such as apache common, hadoop, spark,
> kafka, hive, etc have a security specific mailing list.
>
> Cons:
> - The ASF security mailing list [hidden email] could be used if
> there is no project specific security mailing list.
> - The number of security reports is very low.
>
> Additional information:
> - Security mailing list could only be subscribed by PMCs and committers.
> However everyone could report security issues to the security mailing list.
>
>
> 2. Guide users to report the security issues
> Why:
> - Security vulnerabilities should not be publicly disclosed (e.g. via dev
> ML or JIRA) until the project has responded. We should guide users on how
> to report security issues in Flink website.
>
> How:
> - Option 1: Set up [hidden email] and ask users to report
> security issues there
> - Option 2: Ask users to send security report to [hidden email]
> - Option 3: Ask users to send security report directly to
> [hidden email]
>
>
> 3. Dedicated page to show the security vulnerabilities
> - We may need a dedicated security page to describe the CVE list on the
> Flink website.
>
> I think it makes sense to open separate discussion thread on 2) and 3).
> I'll create separate discussion thread for them. Let's focus on 1) in this
> thread.
>
> If there is no other feedback on 1), I'll bring up a VOTE for this
> discussion.
>
> What do you think?
>
> Thanks,
> Dian
>
> On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <[hidden email]> wrote:
>
>> Thanks for bringing this up, Dian.
>>
>> +1 on creating a project specific security mailing list. My two cents, I
>> think it is worth doing in practice.
>>
>> Although the ASF security ML is always available, usually all the emails
>> are simply routed to the individual project PMC. This is an additional
>> hop.
>> And in some cases, the best person to address the reported issue may not
>> be
>> a PMC member, but a committer, so the PMC have to again involve them into
>> the loop. This make things unnecessarily complicated. Having a project
>> specific security ML would make it much easier to have everyone at the
>> same
>> table.
>>
>> Also, one thing to note is that even though the security issues are
>> usually
>> rare, they could be devastating, thus need to be treated seriously. So I
>> think it is a good idea to establish the handling mechanism regardless of
>> the frequency of the reported security vulnerabilities.
>>
>> Thanks,
>>
>> Jiangjie (Becket) Qin
>>
>> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <[hidden email]> wrote:
>>
>> > Thanks for bringing up this discussion Dian! How to report security
>> bugs to
>> > our project is a very important topic!
>> >
>> > Big +1 on adding some explicit instructions in our document about how to
>> > report security issues, and I suggest to open another thread to vote the
>> > reporting way in Flink.
>> >
>> > FWIW, known options to report security issues include:
>> > 1. Set up [hidden email] and ask users to report security
>> > issues
>> > there
>> > 2. Ask users to send security report to [hidden email]
>> > 3. Ask users to send security report directly to
>> [hidden email]
>> >
>> > More details:
>> >
>> > Descriptions on http://apache.org/security/:
>> > *============================================*
>> >
>> > *We strongly encourage folks to report security vulnerabilities to one
>> of
>> > our private security mailing lists first, before disclosing them in a
>> > public forum.*
>> >
>> > *A list of security contacts for Apache projects
>> > <http://apache.org/security/projects.html> is available. If you can't
>> find
>> > a project specific security e-mail address and you have an undisclosed
>> > security vulnerability to report then please use the general security
>> > address below.*
>> >
>> >
>> > *The general security mailing list address is: [hidden email]
>> > <[hidden email]>. This is a private mailing list.*
>> > *============================================*
>> >
>> > There are also projects directly using private@ mailing list to report
>> > security issues such as HBase (as documented at the very beginning in
>> its
>> > online ref-guide book here <http://hbase.apache.org/book.html#_preface
>> >).
>> >
>> > Hope these information helps. Thanks.
>> >
>> > Best Regards,
>> > Yu
>> >
>> >
>> > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[hidden email]>
>> wrote:
>> >
>> > > Source: https://www.apache.org/security/
>> > >
>> > > Now, we can of course setup such a mailing list (as outlined here
>> > > https://www.apache.org/security/committers.html), but I'm not sure
>> if it
>> > > is necessary since the number of reports is _really_ low.
>> > >
>> > > On 14/11/2019 11:03, Chesnay Schepler wrote:
>> > > > AFAIK, the official way to report vulnerabilities in any apache
>> > > > project is to write to [hidden email] and/or notify the
>> > > > respective PMC. So far, we had several reports that went this route,
>> > > > hence I'm not convinced that an additional ML is required.
>> > > >
>> > > > I would be fine with an additional paragraph somewhere outlining
>> this
>> > > > though.
>> > > >
>> > > > On 14/11/2019 06:57, Jark Wu wrote:
>> > > >> Hi Dian,
>> > > >>
>> > > >> Good idea and +1 to setup security mailing list.
>> > > >> Security vulnerabilities should not be publicly disclosed (e.g. via
>> > > >> dev ML
>> > > >> or JIRA) until the project has responded.
>> > > >> However, AFAIK, Flink doesn't have an official process to
>> > > >> report vulnerabilities.
>> > > >> It would be nice to have one to protect Flink users and response
>> > > >> security
>> > > >> problems quickly.
>> > > >>
>> > > >> Btw, we may also need a dedicated page to describe the security
>> > > >> vulnerabilities report process and CVE list on the website.
>> > > >>
>> > > >> Best,
>> > > >> Jark
>> > > >>
>> > > >>
>> > > >>
>> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]>
>> > wrote:
>> > > >>
>> > > >>> Hi Dian,
>> > > >>>
>> > > >>> Good idea! +1 to have a security mailing list.
>> > > >>> It is nice for Flink to have an official procedure to handle
>> security
>> > > >>> problems, e.g., reporting, addressing and publishing.
>> > > >>>
>> > > >>> Best, Hequn
>> > > >>>
>> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]>
>> wrote:
>> > > >>>
>> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
>> > > >>>> list. To
>> > > >>> be
>> > > >>>> noticed, security mail list is private mail list, could not be
>> > > >>>> subscribed
>> > > >>>> publicly.
>> > > >>>> FYI, apache member can create mail list using this self service
>> tool
>> > > >>>> https://selfserve.apache.org/
>> > > >>>>
>> > > >>>>
>> > > >>>> jincheng sun <[hidden email]> 于2019年11月14日周四
>> > > >>>> 下午12:25写道：
>> > > >>>>
>> > > >>>>> Hi Dian,
>> > > >>>>>
>> > > >>>>> Thanks a lot for bringing up this discussion. This is very
>> > important
>> > > >>> for
>> > > >>>>> Flink community!
>> > > >>>>>
>> > > >>>>> I think setup a security mailing list for Flink is pretty nice
>> > > >>> although `
>> > > >>>>> [hidden email]` can be used and the report will be
>> forwarded
>> > to
>> > > >>>> Flink
>> > > >>>>> private mailing list if there is no project specific security
>> > mailing
>> > > >>>>> list. One thing that is pretty sure is that we should guide
>> users
>> > on
>> > > >>> how
>> > > >>>> to
>> > > >>>>> report security issues in Flink website as security
>> vulnerabilities
>> > > >>>> should
>> > > >>>>> not be entered into a project's public bug tracker directly
>> > according
>> > > >>> to
>> > > >>>>> the guidance for how to handling the security vulnerabilities in
>> > ASF
>> > > >>>>> site[1].
>> > > >>>>>
>> > > >>>>> Besides, we need also add a security page in Flink which shows
>> the
>> > > >>>>> information about the security vulnerabilities per the guidance
>> of
>> > > >>>>> the
>> > > >>>>> security vulnerabilities in ASF site[2]. Projects such as
>> spark[3],
>> > > >>>>> kafka[4], etc already have such a page.
>> > > >>>>>
>> > > >>>>> Best,Jincheng
>> > > >>>>>
>> > > >>>>> [1]
>> > > >>>>
>> > >
>> https://www.apache.org/security/committers.html#vulnerability-handling
>> > > >>>>> [2]
>> > > >>>>
>> > >
>> https://www.apache.org/security/committers.html#publishing-information
>> > > >>>>> [3] https://spark.apache.org/security.html
>> > > >>>>> [4] https://kafka.apache.org/cve-list
>> > > >>>>>
>> > > >>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
>> > > >>>>>
>> > > >>>>>> Hi all,
>> > > >>>>>>
>> > > >>>>>> I'm reaching out to see if there is an existing security
>> specific
>> > > >>>> mailing
>> > > >>>>>> list in Flink. If there is, we should expose it in the offcial
>> web
>> > > >>> site
>> > > >>>>> of
>> > > >>>>>> Flink [1] to guide people to report security issues to this
>> > mailing
>> > > >>>> list.
>> > > >>>>>> If it still doesn't exist, I'm here to propose to setup a
>> > > >>>>>> [hidden email] mailing list for reporting and
>> > discussion
>> > > >>> of
>> > > >>>>>> security specific issues. Currently, most well known apache
>> > projects
>> > > >>>> such
>> > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6],
>> etc
>> > > >>> have a
>> > > >>>>>> security specific mailing list. It would be nice if there is
>> also
>> > a
>> > > >>>>>> security specific mailing list for Flink.
>> > > >>>>>>
>> > > >>>>>> Note that users should report security issues to the security
>> > > >>>>>> mailing
>> > > >>>>>> list.
>> > > >>>>>>
>> > > >>>>>> Looking forward to your feedback!
>> > > >>>>>>
>> > > >>>>>> Regards,
>> > > >>>>>> Dian
>> > > >>>>>>
>> > > >>>>>> [1] https://flink.apache.org/community.html
>> > > >>>>>> [2] https://commons.apache.org/mail-lists.html
>> > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>> > > >>>>>> [4] https://spark.apache.org/community.html
>> > > >>>>>> [5] https://kafka.apache.org/project-security.html
>> > > >>>>>> [6] https://hive.apache.org/mailing_lists.html
>> > > >>>>
>> > > >>>> --
>> > > >>>> Best Regards
>> > > >>>>
>> > > >>>> Jeff Zhang
>> > > >>>>
>> > > >
>> > > >
>> > >
>> > >
>> >
>>
>
>

> Hi all,
>
> Just sync the results of the vote for setup a mailing list [hidden email]
> that it has been rejected [1].
>
> Another very important thing is that all the people agree that there should
> be a guideline on how to report security issues in Flink website. Do you
> think we should bring up a separate discussion/vote thread? If so, I will
> do that. Personally I think that discussing on the PR is enough. What do
> you think?
>
> I have created a PR [2]. Appreciate if you can take a look at.
>
> Regards,
> Dian
>
> [1]
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/VOTE-Setup-a-security-flink-apache-org-mailing-list-tt35205.html
> [2] https://github.com/apache/flink-web/pull/287
>
> On Thu, Nov 21, 2019 at 3:58 PM Dian Fu <[hidden email]> wrote:
>
>> Hi all,
>>
>> There are no new feedbacks and it seems that we have received enough
>> feedback about setup a [hidden email] mailing list[1] for
>> security report and discussion. It shows that it's optional as we can use
>> either [hidden email] or [hidden email]. So I'd like to
>> start the vote for setup a [hidden email] mailing list to make
>> the final decision.
>>
>> Thanks,
>> Dian
>>
>> 在 2019年11月19日，下午6:06，Dian Fu <[hidden email]> 写道：
>>
>> Hi all,
>>
>> Thanks for sharing your thoughts. Appreciated! Let me try to summarize the
>> information and thoughts received so far. Please feel free to let me know
>> if there is anything wrong or missing.
>>
>> 1. Setup project specific security mailing list
>> Pros:
>> - The security reports received by [hidden email] will be forwarded
>> to the project private(PMC) mailing list. Having a project specific
>> security mailing list is helpful in cases when the best person to address
>> the security issue is not a PMC member, but a committer. It makes things
>> simple as everyone(both PMCs and committers) is on the same table.
>> - Even though the security issues are usually rare, they could be
>> devastating and thus need to be treated seriously.
>> - Most notable apache projects such as apache common, hadoop, spark,
>> kafka, hive, etc have a security specific mailing list.
>>
>> Cons:
>> - The ASF security mailing list [hidden email] could be used if
>> there is no project specific security mailing list.
>> - The number of security reports is very low.
>>
>> Additional information:
>> - Security mailing list could only be subscribed by PMCs and committers.
>> However everyone could report security issues to the security mailing list.
>>
>>
>> 2. Guide users to report the security issues
>> Why:
>> - Security vulnerabilities should not be publicly disclosed (e.g. via dev
>> ML or JIRA) until the project has responded. We should guide users on how
>> to report security issues in Flink website.
>>
>> How:
>> - Option 1: Set up [hidden email] and ask users to report
>> security issues there
>> - Option 2: Ask users to send security report to [hidden email]
>> - Option 3: Ask users to send security report directly to
>> [hidden email]
>>
>>
>> 3. Dedicated page to show the security vulnerabilities
>> - We may need a dedicated security page to describe the CVE list on the
>> Flink website.
>>
>> I think it makes sense to open separate discussion thread on 2) and 3).
>> I'll create separate discussion thread for them. Let's focus on 1) in this
>> thread.
>>
>> If there is no other feedback on 1), I'll bring up a VOTE for this
>> discussion.
>>
>> What do you think?
>>
>> Thanks,
>> Dian
>>
>> On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <[hidden email]> wrote:
>>
>>> Thanks for bringing this up, Dian.
>>>
>>> +1 on creating a project specific security mailing list. My two cents, I
>>> think it is worth doing in practice.
>>>
>>> Although the ASF security ML is always available, usually all the emails
>>> are simply routed to the individual project PMC. This is an additional
>>> hop.
>>> And in some cases, the best person to address the reported issue may not
>>> be
>>> a PMC member, but a committer, so the PMC have to again involve them into
>>> the loop. This make things unnecessarily complicated. Having a project
>>> specific security ML would make it much easier to have everyone at the
>>> same
>>> table.
>>>
>>> Also, one thing to note is that even though the security issues are
>>> usually
>>> rare, they could be devastating, thus need to be treated seriously. So I
>>> think it is a good idea to establish the handling mechanism regardless of
>>> the frequency of the reported security vulnerabilities.
>>>
>>> Thanks,
>>>
>>> Jiangjie (Becket) Qin
>>>
>>> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <[hidden email]> wrote:
>>>
>>>> Thanks for bringing up this discussion Dian! How to report security
>>> bugs to
>>>> our project is a very important topic!
>>>>
>>>> Big +1 on adding some explicit instructions in our document about how to
>>>> report security issues, and I suggest to open another thread to vote the
>>>> reporting way in Flink.
>>>>
>>>> FWIW, known options to report security issues include:
>>>> 1. Set up [hidden email] and ask users to report security
>>>> issues
>>>> there
>>>> 2. Ask users to send security report to [hidden email]
>>>> 3. Ask users to send security report directly to
>>> [hidden email]
>>>> More details:
>>>>
>>>> Descriptions on http://apache.org/security/:
>>>> *============================================*
>>>>
>>>> *We strongly encourage folks to report security vulnerabilities to one
>>> of
>>>> our private security mailing lists first, before disclosing them in a
>>>> public forum.*
>>>>
>>>> *A list of security contacts for Apache projects
>>>> <http://apache.org/security/projects.html> is available. If you can't
>>> find
>>>> a project specific security e-mail address and you have an undisclosed
>>>> security vulnerability to report then please use the general security
>>>> address below.*
>>>>
>>>>
>>>> *The general security mailing list address is: [hidden email]
>>>> <[hidden email]>. This is a private mailing list.*
>>>> *============================================*
>>>>
>>>> There are also projects directly using private@ mailing list to report
>>>> security issues such as HBase (as documented at the very beginning in
>>> its
>>>> online ref-guide book here <http://hbase.apache.org/book.html#_preface
>>>> ).
>>>>
>>>> Hope these information helps. Thanks.
>>>>
>>>> Best Regards,
>>>> Yu
>>>>
>>>>
>>>> On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <[hidden email]>
>>> wrote:
>>>>> Source: https://www.apache.org/security/
>>>>>
>>>>> Now, we can of course setup such a mailing list (as outlined here
>>>>> https://www.apache.org/security/committers.html), but I'm not sure
>>> if it
>>>>> is necessary since the number of reports is _really_ low.
>>>>>
>>>>> On 14/11/2019 11:03, Chesnay Schepler wrote:
>>>>>> AFAIK, the official way to report vulnerabilities in any apache
>>>>>> project is to write to [hidden email] and/or notify the
>>>>>> respective PMC. So far, we had several reports that went this route,
>>>>>> hence I'm not convinced that an additional ML is required.
>>>>>>
>>>>>> I would be fine with an additional paragraph somewhere outlining
>>> this
>>>>>> though.
>>>>>>
>>>>>> On 14/11/2019 06:57, Jark Wu wrote:
>>>>>>> Hi Dian,
>>>>>>>
>>>>>>> Good idea and +1 to setup security mailing list.
>>>>>>> Security vulnerabilities should not be publicly disclosed (e.g. via
>>>>>>> dev ML
>>>>>>> or JIRA) until the project has responded.
>>>>>>> However, AFAIK, Flink doesn't have an official process to
>>>>>>> report vulnerabilities.
>>>>>>> It would be nice to have one to protect Flink users and response
>>>>>>> security
>>>>>>> problems quickly.
>>>>>>>
>>>>>>> Btw, we may also need a dedicated page to describe the security
>>>>>>> vulnerabilities report process and CVE list on the website.
>>>>>>>
>>>>>>> Best,
>>>>>>> Jark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <[hidden email]>
>>>> wrote:
>>>>>>>> Hi Dian,
>>>>>>>>
>>>>>>>> Good idea! +1 to have a security mailing list.
>>>>>>>> It is nice for Flink to have an official procedure to handle
>>> security
>>>>>>>> problems, e.g., reporting, addressing and publishing.
>>>>>>>>
>>>>>>>> Best, Hequn
>>>>>>>>
>>>>>>>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <[hidden email]>
>>> wrote:
>>>>>>>>> Thanks Dian Fu for this proposal. +1 for creating security mail
>>>>>>>>> list. To
>>>>>>>> be
>>>>>>>>> noticed, security mail list is private mail list, could not be
>>>>>>>>> subscribed
>>>>>>>>> publicly.
>>>>>>>>> FYI, apache member can create mail list using this self service
>>> tool
>>>>>>>>> https://selfserve.apache.org/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> jincheng sun <[hidden email]> 于2019年11月14日周四
>>>>>>>>> 下午12:25写道：
>>>>>>>>>
>>>>>>>>>> Hi Dian,
>>>>>>>>>>
>>>>>>>>>> Thanks a lot for bringing up this discussion. This is very
>>>> important
>>>>>>>> for
>>>>>>>>>> Flink community!
>>>>>>>>>>
>>>>>>>>>> I think setup a security mailing list for Flink is pretty nice
>>>>>>>> although `
>>>>>>>>>> [hidden email]` can be used and the report will be
>>> forwarded
>>>> to
>>>>>>>>> Flink
>>>>>>>>>> private mailing list if there is no project specific security
>>>> mailing
>>>>>>>>>> list. One thing that is pretty sure is that we should guide
>>> users
>>>> on
>>>>>>>> how
>>>>>>>>> to
>>>>>>>>>> report security issues in Flink website as security
>>> vulnerabilities
>>>>>>>>> should
>>>>>>>>>> not be entered into a project's public bug tracker directly
>>>> according
>>>>>>>> to
>>>>>>>>>> the guidance for how to handling the security vulnerabilities in
>>>> ASF
>>>>>>>>>> site[1].
>>>>>>>>>>
>>>>>>>>>> Besides, we need also add a security page in Flink which shows
>>> the
>>>>>>>>>> information about the security vulnerabilities per the guidance
>>> of
>>>>>>>>>> the
>>>>>>>>>> security vulnerabilities in ASF site[2]. Projects such as
>>> spark[3],
>>>>>>>>>> kafka[4], etc already have such a page.
>>>>>>>>>>
>>>>>>>>>> Best,Jincheng
>>>>>>>>>>
>>>>>>>>>> [1]
>>> https://www.apache.org/security/committers.html#vulnerability-handling
>>>>>>>>>> [2]
>>> https://www.apache.org/security/committers.html#publishing-information
>>>>>>>>>> [3] https://spark.apache.org/security.html
>>>>>>>>>> [4] https://kafka.apache.org/cve-list
>>>>>>>>>>
>>>>>>>>>> Dian Fu <[hidden email]> 于2019年11月14日周四 下午12:12写道：
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I'm reaching out to see if there is an existing security
>>> specific
>>>>>>>>> mailing
>>>>>>>>>>> list in Flink. If there is, we should expose it in the offcial
>>> web
>>>>>>>> site
>>>>>>>>>> of
>>>>>>>>>>> Flink [1] to guide people to report security issues to this
>>>> mailing
>>>>>>>>> list.
>>>>>>>>>>> If it still doesn't exist, I'm here to propose to setup a
>>>>>>>>>>> [hidden email] mailing list for reporting and
>>>> discussion
>>>>>>>> of
>>>>>>>>>>> security specific issues. Currently, most well known apache
>>>> projects
>>>>>>>>> such
>>>>>>>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6],
>>> etc
>>>>>>>> have a
>>>>>>>>>>> security specific mailing list. It would be nice if there is
>>> also
>>>> a
>>>>>>>>>>> security specific mailing list for Flink.
>>>>>>>>>>>
>>>>>>>>>>> Note that users should report security issues to the security
>>>>>>>>>>> mailing
>>>>>>>>>>> list.
>>>>>>>>>>>
>>>>>>>>>>> Looking forward to your feedback!
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Dian
>>>>>>>>>>>
>>>>>>>>>>> [1] https://flink.apache.org/community.html
>>>>>>>>>>> [2] https://commons.apache.org/mail-lists.html
>>>>>>>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>>>>>>>>>>> [4] https://spark.apache.org/community.html
>>>>>>>>>>> [5] https://kafka.apache.org/project-security.html
>>>>>>>>>>> [6] https://hive.apache.org/mailing_lists.html
>>>>>>>>> --
>>>>>>>>> Best Regards
>>>>>>>>>
>>>>>>>>> Jeff Zhang
>>>>>>>>>
>>>>>>
>>>>>
>>