[VOTE] Setup a security@flink.apache.org mailing list

> Hi all,
>
> According to our previous discussion in [1], I'd like to bring up a vote
> to set up a [hidden email] mailing list.
>
> The vote will be open for at least 72 hours (excluding weekend). I'll try
> to close it by 2019-11-26 18:00 UTC, unless there is an objection or not
> enough votes.
>
> Regards,
> Dian
>
> [1]
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951

> Hi all,
>
> What is the voting scheme for it? I am not sure if it falls into any of
> the categories we have listed in our bylaws. Are committers votes
> binding or just PMCs'? (Personally I think it should be PMCs') Is this a
> binding vote or just an informational vote?
>
> Best,
>
> Dawid
>
> On 25/11/2019 07:34, jincheng sun wrote:
> > +1
> >
> > Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
> >
> >> Hi all,
> >>
> >> According to our previous discussion in [1], I'd like to bring up a vote
> >> to set up a [hidden email] mailing list.
> >>
> >> The vote will be open for at least 72 hours (excluding weekend). I'll
> try
> >> to close it by 2019-11-26 18:00 UTC, unless there is an objection or not
> >> enough votes.
> >>
> >> Regards,
> >> Dian
> >>
> >> [1]
> >>
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>
>

> I agree that we are only counting PMC votes (because this decision goes
> beyond the codebase)
>
> I'm undecided what to vote :) I'm not against setting up a new mailing
> list, but I also don't think the benefit (having a private list with PMC +
> committers) is enough to justify the work involved. As far as I remember,
> we have received 2 security issue notices, both basically about the same
> issue.  I'll leave it to other PMC members to support this if they want to
> ...
>
>
> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <[hidden email]>
> wrote:
>
> > Hi all,
> >
> > What is the voting scheme for it? I am not sure if it falls into any of
> > the categories we have listed in our bylaws. Are committers votes
> > binding or just PMCs'? (Personally I think it should be PMCs') Is this a
> > binding vote or just an informational vote?
> >
> > Best,
> >
> > Dawid
> >
> > On 25/11/2019 07:34, jincheng sun wrote:
> > > +1
> > >
> > > Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
> > >
> > >> Hi all,
> > >>
> > >> According to our previous discussion in [1], I'd like to bring up a
> vote
> > >> to set up a [hidden email] mailing list.
> > >>
> > >> The vote will be open for at least 72 hours (excluding weekend). I'll
> > try
> > >> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
> not
> > >> enough votes.
> > >>
> > >> Regards,
> > >> Dian
> > >>
> > >> [1]
> > >>
> >
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
> >
> >
>

> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
>
> I also think that we should only count PMC votes.
>
> This ML is to improve the security mechanism for Flink. Of course we don't
> expect to use this
> ML often. I hope that it's perfect if this ML is never used. However, the
> Flink community is growing rapidly, it's better to
> make our security mechanism as convenient as possible. But I agree that
> this ML is not a must to have, it's nice to have.
>
> So, I give the vote as +1(binding).
>
> Best,
> Jincheng
>
> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
>
>> I agree that we are only counting PMC votes (because this decision goes
>> beyond the codebase)
>>
>> I'm undecided what to vote :) I'm not against setting up a new mailing
>> list, but I also don't think the benefit (having a private list with PMC +
>> committers) is enough to justify the work involved. As far as I remember,
>> we have received 2 security issue notices, both basically about the same
>> issue.  I'll leave it to other PMC members to support this if they want to
>> ...
>>
>>
>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <[hidden email]>
>> wrote:
>>
>>> Hi all,
>>>
>>> What is the voting scheme for it? I am not sure if it falls into any of
>>> the categories we have listed in our bylaws. Are committers votes
>>> binding or just PMCs'? (Personally I think it should be PMCs') Is this a
>>> binding vote or just an informational vote?
>>>
>>> Best,
>>>
>>> Dawid
>>>
>>> On 25/11/2019 07:34, jincheng sun wrote:
>>>> +1
>>>>
>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
>>>>
>>>>> Hi all,
>>>>>
>>>>> According to our previous discussion in [1], I'd like to bring up a
>> vote
>>>>> to set up a [hidden email] mailing list.
>>>>>
>>>>> The vote will be open for at least 72 hours (excluding weekend). I'll
>>> try
>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
>> not
>>>>> enough votes.
>>>>>
>>>>> Regards,
>>>>> Dian
>>>>>
>>>>> [1]
>>>>>
>>>
>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>>>
>>>
>>

> NOTE: Only PMC votes is binding.
>
> Thanks for sharing your thoughts. I also think that this doesn't fall into
> any of the existing categories listed in the bylaws. Maybe we could do some
> improvements for the bylaws.
>
> This is not codebase change as Robert mentioned and it's related to how to
> manage Flink's development in a good way. So, I agree with Robert and
> Jincheng that this VOTE should only count PMC votes for now.
>
> Thanks,
> Dian
>
> > 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
> >
> > I also think that we should only count PMC votes.
> >
> > This ML is to improve the security mechanism for Flink. Of course we
> don't
> > expect to use this
> > ML often. I hope that it's perfect if this ML is never used. However, the
> > Flink community is growing rapidly, it's better to
> > make our security mechanism as convenient as possible. But I agree that
> > this ML is not a must to have, it's nice to have.
> >
> > So, I give the vote as +1(binding).
> >
> > Best,
> > Jincheng
> >
> > Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
> >
> >> I agree that we are only counting PMC votes (because this decision goes
> >> beyond the codebase)
> >>
> >> I'm undecided what to vote :) I'm not against setting up a new mailing
> >> list, but I also don't think the benefit (having a private list with
> PMC +
> >> committers) is enough to justify the work involved. As far as I
> remember,
> >> we have received 2 security issue notices, both basically about the same
> >> issue.  I'll leave it to other PMC members to support this if they want
> to
> >> ...
> >>
> >>
> >> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
> [hidden email]>
> >> wrote:
> >>
> >>> Hi all,
> >>>
> >>> What is the voting scheme for it? I am not sure if it falls into any of
> >>> the categories we have listed in our bylaws. Are committers votes
> >>> binding or just PMCs'? (Personally I think it should be PMCs') Is this
> a
> >>> binding vote or just an informational vote?
> >>>
> >>> Best,
> >>>
> >>> Dawid
> >>>
> >>> On 25/11/2019 07:34, jincheng sun wrote:
> >>>> +1
> >>>>
> >>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> According to our previous discussion in [1], I'd like to bring up a
> >> vote
> >>>>> to set up a [hidden email] mailing list.
> >>>>>
> >>>>> The vote will be open for at least 72 hours (excluding weekend). I'll
> >>> try
> >>>>> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
> >> not
> >>>>> enough votes.
> >>>>>
> >>>>> Regards,
> >>>>> Dian
> >>>>>
> >>>>> [1]
> >>>>>
> >>>
> >>
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
> >>>
> >>>
> >>
>
>

> Thanks for driving this, Dian.
>
> +1 from me, for the reasons I mentioned in the discussion thread.
>
> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <[hidden email]> wrote:
>
>> NOTE: Only PMC votes is binding.
>>
>> Thanks for sharing your thoughts. I also think that this doesn't fall into
>> any of the existing categories listed in the bylaws. Maybe we could do some
>> improvements for the bylaws.
>>
>> This is not codebase change as Robert mentioned and it's related to how to
>> manage Flink's development in a good way. So, I agree with Robert and
>> Jincheng that this VOTE should only count PMC votes for now.
>>
>> Thanks,
>> Dian
>>
>>> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
>>>
>>> I also think that we should only count PMC votes.
>>>
>>> This ML is to improve the security mechanism for Flink. Of course we
>> don't
>>> expect to use this
>>> ML often. I hope that it's perfect if this ML is never used. However, the
>>> Flink community is growing rapidly, it's better to
>>> make our security mechanism as convenient as possible. But I agree that
>>> this ML is not a must to have, it's nice to have.
>>>
>>> So, I give the vote as +1(binding).
>>>
>>> Best,
>>> Jincheng
>>>
>>> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
>>>
>>>> I agree that we are only counting PMC votes (because this decision goes
>>>> beyond the codebase)
>>>>
>>>> I'm undecided what to vote :) I'm not against setting up a new mailing
>>>> list, but I also don't think the benefit (having a private list with
>> PMC +
>>>> committers) is enough to justify the work involved. As far as I
>> remember,
>>>> we have received 2 security issue notices, both basically about the same
>>>> issue.  I'll leave it to other PMC members to support this if they want
>> to
>>>> ...
>>>>
>>>>
>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
>> [hidden email]>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> What is the voting scheme for it? I am not sure if it falls into any of
>>>>> the categories we have listed in our bylaws. Are committers votes
>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is this
>> a
>>>>> binding vote or just an informational vote?
>>>>>
>>>>> Best,
>>>>>
>>>>> Dawid
>>>>>
>>>>> On 25/11/2019 07:34, jincheng sun wrote:
>>>>>> +1
>>>>>>
>>>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> According to our previous discussion in [1], I'd like to bring up a
>>>> vote
>>>>>>> to set up a [hidden email] mailing list.
>>>>>>>
>>>>>>> The vote will be open for at least 72 hours (excluding weekend). I'll
>>>>> try
>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
>>>> not
>>>>>>> enough votes.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Dian
>>>>>>>
>>>>>>> [1]
>>>>>>>
>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>>>>>
>>

> 在 2019年12月2日，下午6:03，Chesnay Schepler <[hidden email]> 写道：
>
> Would [hidden email] work as any other private ML?
>
> Contrary to what Becket said in the discussion thread, [hidden email] is not just "another hop"; it provides guiding material, the security team checks for activity and can be pinged easily as they are cc'd in the initial report.
>
> I vastly prefer this over a separate mailing list; if these benefits don't apply to [hidden email] I'm -1 on this.
>
> On 02/12/2019 02:28, Becket Qin wrote:
>> Thanks for driving this, Dian.
>>
>> +1 from me, for the reasons I mentioned in the discussion thread.
>>
>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <[hidden email]> wrote:
>>
>>> NOTE: Only PMC votes is binding.
>>>
>>> Thanks for sharing your thoughts. I also think that this doesn't fall into
>>> any of the existing categories listed in the bylaws. Maybe we could do some
>>> improvements for the bylaws.
>>>
>>> This is not codebase change as Robert mentioned and it's related to how to
>>> manage Flink's development in a good way. So, I agree with Robert and
>>> Jincheng that this VOTE should only count PMC votes for now.
>>>
>>> Thanks,
>>> Dian
>>>
>>>> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
>>>>
>>>> I also think that we should only count PMC votes.
>>>>
>>>> This ML is to improve the security mechanism for Flink. Of course we
>>> don't
>>>> expect to use this
>>>> ML often. I hope that it's perfect if this ML is never used. However, the
>>>> Flink community is growing rapidly, it's better to
>>>> make our security mechanism as convenient as possible. But I agree that
>>>> this ML is not a must to have, it's nice to have.
>>>>
>>>> So, I give the vote as +1(binding).
>>>>
>>>> Best,
>>>> Jincheng
>>>>
>>>> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
>>>>
>>>>> I agree that we are only counting PMC votes (because this decision goes
>>>>> beyond the codebase)
>>>>>
>>>>> I'm undecided what to vote :) I'm not against setting up a new mailing
>>>>> list, but I also don't think the benefit (having a private list with
>>> PMC +
>>>>> committers) is enough to justify the work involved. As far as I
>>> remember,
>>>>> we have received 2 security issue notices, both basically about the same
>>>>> issue.  I'll leave it to other PMC members to support this if they want
>>> to
>>>>> ...
>>>>>
>>>>>
>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> What is the voting scheme for it? I am not sure if it falls into any of
>>>>>> the categories we have listed in our bylaws. Are committers votes
>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is this
>>> a
>>>>>> binding vote or just an informational vote?
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Dawid
>>>>>>
>>>>>> On 25/11/2019 07:34, jincheng sun wrote:
>>>>>>> +1
>>>>>>>
>>>>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> According to our previous discussion in [1], I'd like to bring up a
>>>>> vote
>>>>>>>> to set up a [hidden email] mailing list.
>>>>>>>>
>>>>>>>> The vote will be open for at least 72 hours (excluding weekend). I'll
>>>>>> try
>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
>>>>> not
>>>>>>>> enough votes.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Dian
>>>>>>>>
>>>>>>>> [1]
>>>>>>>>
>>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>>>>>>
>>>
>

> 在 2019年12月3日，下午4:53，Dian Fu <[hidden email]> 写道：
>
> Actually I have tried to find out the reason why so many apache projects choose to set up a project specific security mailing list in case that the general [hidden email] mailing list seems working well. Unfortunately, there is no open discussions in these projects and there is also no clear guideline/standard in the ASF site whether a project should set up such a mailing list (The project specific security mailing list seems only an optional and we noticed that at the beginning of the discussion). This is also one of the main reasons we start such a discussion to see if somebody has more thoughts about this.
>
>> 在 2019年12月2日，下午6:03，Chesnay Schepler <[hidden email]> 写道：
>>
>> Would [hidden email] work as any other private ML?
>>
>> Contrary to what Becket said in the discussion thread, [hidden email] is not just "another hop"; it provides guiding material, the security team checks for activity and can be pinged easily as they are cc'd in the initial report.
>>
>> I vastly prefer this over a separate mailing list; if these benefits don't apply to [hidden email] I'm -1 on this.
>>
>> On 02/12/2019 02:28, Becket Qin wrote:
>>> Thanks for driving this, Dian.
>>>
>>> +1 from me, for the reasons I mentioned in the discussion thread.
>>>
>>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <[hidden email]> wrote:
>>>
>>>> NOTE: Only PMC votes is binding.
>>>>
>>>> Thanks for sharing your thoughts. I also think that this doesn't fall into
>>>> any of the existing categories listed in the bylaws. Maybe we could do some
>>>> improvements for the bylaws.
>>>>
>>>> This is not codebase change as Robert mentioned and it's related to how to
>>>> manage Flink's development in a good way. So, I agree with Robert and
>>>> Jincheng that this VOTE should only count PMC votes for now.
>>>>
>>>> Thanks,
>>>> Dian
>>>>
>>>>> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
>>>>>
>>>>> I also think that we should only count PMC votes.
>>>>>
>>>>> This ML is to improve the security mechanism for Flink. Of course we
>>>> don't
>>>>> expect to use this
>>>>> ML often. I hope that it's perfect if this ML is never used. However, the
>>>>> Flink community is growing rapidly, it's better to
>>>>> make our security mechanism as convenient as possible. But I agree that
>>>>> this ML is not a must to have, it's nice to have.
>>>>>
>>>>> So, I give the vote as +1(binding).
>>>>>
>>>>> Best,
>>>>> Jincheng
>>>>>
>>>>> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
>>>>>
>>>>>> I agree that we are only counting PMC votes (because this decision goes
>>>>>> beyond the codebase)
>>>>>>
>>>>>> I'm undecided what to vote :) I'm not against setting up a new mailing
>>>>>> list, but I also don't think the benefit (having a private list with
>>>> PMC +
>>>>>> committers) is enough to justify the work involved. As far as I
>>>> remember,
>>>>>> we have received 2 security issue notices, both basically about the same
>>>>>> issue.  I'll leave it to other PMC members to support this if they want
>>>> to
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> What is the voting scheme for it? I am not sure if it falls into any of
>>>>>>> the categories we have listed in our bylaws. Are committers votes
>>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is this
>>>> a
>>>>>>> binding vote or just an informational vote?
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Dawid
>>>>>>>
>>>>>>> On 25/11/2019 07:34, jincheng sun wrote:
>>>>>>>> +1
>>>>>>>>
>>>>>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> According to our previous discussion in [1], I'd like to bring up a
>>>>>> vote
>>>>>>>>> to set up a [hidden email] mailing list.
>>>>>>>>>
>>>>>>>>> The vote will be open for at least 72 hours (excluding weekend). I'll
>>>>>>> try
>>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an objection or
>>>>>> not
>>>>>>>>> enough votes.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Dian
>>>>>>>>>
>>>>>>>>> [1]
>>>>>>>>>
>>>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>>>>>>>
>>>>
>>
>

> Hi all,
>
> Thanks everyone for participating this vote. As we have received only two
> +1 and there is also one -1 for this vote, according to the bylaws, I'm
> sorry to announce that this proposal was rejected.
>
> Neverthless, I think we can always restart the discussion in the future if
> we see more evidence that such a mailing list is necessary.
>
> Thanks,
> Dian
>
>
> > 在 2019年12月3日，下午4:53，Dian Fu <[hidden email]> 写道：
> >
> > Actually I have tried to find out the reason why so many apache projects
> choose to set up a project specific security mailing list in case that the
> general [hidden email] mailing list seems working well.
> Unfortunately, there is no open discussions in these projects and there is
> also no clear guideline/standard in the ASF site whether a project should
> set up such a mailing list (The project specific security mailing list
> seems only an optional and we noticed that at the beginning of the
> discussion). This is also one of the main reasons we start such a
> discussion to see if somebody has more thoughts about this.
> >
> >> 在 2019年12月2日，下午6:03，Chesnay Schepler <[hidden email]> 写道：
> >>
> >> Would [hidden email] work as any other private ML?
> >>
> >> Contrary to what Becket said in the discussion thread,
> [hidden email] is not just "another hop"; it provides guiding
> material, the security team checks for activity and can be pinged easily as
> they are cc'd in the initial report.
> >>
> >> I vastly prefer this over a separate mailing list; if these benefits
> don't apply to [hidden email] I'm -1 on this.
> >>
> >> On 02/12/2019 02:28, Becket Qin wrote:
> >>> Thanks for driving this, Dian.
> >>>
> >>> +1 from me, for the reasons I mentioned in the discussion thread.
> >>>
> >>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <[hidden email]>
> wrote:
> >>>
> >>>> NOTE: Only PMC votes is binding.
> >>>>
> >>>> Thanks for sharing your thoughts. I also think that this doesn't fall
> into
> >>>> any of the existing categories listed in the bylaws. Maybe we could
> do some
> >>>> improvements for the bylaws.
> >>>>
> >>>> This is not codebase change as Robert mentioned and it's related to
> how to
> >>>> manage Flink's development in a good way. So, I agree with Robert and
> >>>> Jincheng that this VOTE should only count PMC votes for now.
> >>>>
> >>>> Thanks,
> >>>> Dian
> >>>>
> >>>>> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
> >>>>>
> >>>>> I also think that we should only count PMC votes.
> >>>>>
> >>>>> This ML is to improve the security mechanism for Flink. Of course we
> >>>> don't
> >>>>> expect to use this
> >>>>> ML often. I hope that it's perfect if this ML is never used.
> However, the
> >>>>> Flink community is growing rapidly, it's better to
> >>>>> make our security mechanism as convenient as possible. But I agree
> that
> >>>>> this ML is not a must to have, it's nice to have.
> >>>>>
> >>>>> So, I give the vote as +1(binding).
> >>>>>
> >>>>> Best,
> >>>>> Jincheng
> >>>>>
> >>>>> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
> >>>>>
> >>>>>> I agree that we are only counting PMC votes (because this decision
> goes
> >>>>>> beyond the codebase)
> >>>>>>
> >>>>>> I'm undecided what to vote :) I'm not against setting up a new
> mailing
> >>>>>> list, but I also don't think the benefit (having a private list with
> >>>> PMC +
> >>>>>> committers) is enough to justify the work involved. As far as I
> >>>> remember,
> >>>>>> we have received 2 security issue notices, both basically about the
> same
> >>>>>> issue.  I'll leave it to other PMC members to support this if they
> want
> >>>> to
> >>>>>> ...
> >>>>>>
> >>>>>>
> >>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
> >>>> [hidden email]>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hi all,
> >>>>>>>
> >>>>>>> What is the voting scheme for it? I am not sure if it falls into
> any of
> >>>>>>> the categories we have listed in our bylaws. Are committers votes
> >>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is
> this
> >>>> a
> >>>>>>> binding vote or just an informational vote?
> >>>>>>>
> >>>>>>> Best,
> >>>>>>>
> >>>>>>> Dawid
> >>>>>>>
> >>>>>>> On 25/11/2019 07:34, jincheng sun wrote:
> >>>>>>>> +1
> >>>>>>>>
> >>>>>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
> >>>>>>>>
> >>>>>>>>> Hi all,
> >>>>>>>>>
> >>>>>>>>> According to our previous discussion in [1], I'd like to bring
> up a
> >>>>>> vote
> >>>>>>>>> to set up a [hidden email] mailing list.
> >>>>>>>>>
> >>>>>>>>> The vote will be open for at least 72 hours (excluding weekend).
> I'll
> >>>>>>> try
> >>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an
> objection or
> >>>>>> not
> >>>>>>>>> enough votes.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>> Dian
> >>>>>>>>>
> >>>>>>>>> [1]
> >>>>>>>>>
> >>>>
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
> >>>>>>>
> >>>>
> >>
> >
>
>

> 在 2019年12月4日，上午7:29，Becket Qin <[hidden email]> 写道：
>
> Hi Dian,
>
> Thanks for driving the effort regardless.
>
> Even if we don't setup a [hidden email] ML for Flink, we probably should
> have a clear pointer to the ASF guideline and [hidden email] in the
> project website. I think many people are not aware of the
> [hidden email] address. If they failed to find information in the
> Flink site, they will simply assume there is no special procedure for
> security problems.
>
> Thanks,
>
> Jiangjie (Becket) Qin
>
> On Tue, Dec 3, 2019 at 4:54 PM Dian Fu <[hidden email]> wrote:
>
>> Hi all,
>>
>> Thanks everyone for participating this vote. As we have received only two
>> +1 and there is also one -1 for this vote, according to the bylaws, I'm
>> sorry to announce that this proposal was rejected.
>>
>> Neverthless, I think we can always restart the discussion in the future if
>> we see more evidence that such a mailing list is necessary.
>>
>> Thanks,
>> Dian
>>
>>
>>> 在 2019年12月3日，下午4:53，Dian Fu <[hidden email]> 写道：
>>>
>>> Actually I have tried to find out the reason why so many apache projects
>> choose to set up a project specific security mailing list in case that the
>> general [hidden email] mailing list seems working well.
>> Unfortunately, there is no open discussions in these projects and there is
>> also no clear guideline/standard in the ASF site whether a project should
>> set up such a mailing list (The project specific security mailing list
>> seems only an optional and we noticed that at the beginning of the
>> discussion). This is also one of the main reasons we start such a
>> discussion to see if somebody has more thoughts about this.
>>>
>>>> 在 2019年12月2日，下午6:03，Chesnay Schepler <[hidden email]> 写道：
>>>>
>>>> Would [hidden email] work as any other private ML?
>>>>
>>>> Contrary to what Becket said in the discussion thread,
>> [hidden email] is not just "another hop"; it provides guiding
>> material, the security team checks for activity and can be pinged easily as
>> they are cc'd in the initial report.
>>>>
>>>> I vastly prefer this over a separate mailing list; if these benefits
>> don't apply to [hidden email] I'm -1 on this.
>>>>
>>>> On 02/12/2019 02:28, Becket Qin wrote:
>>>>> Thanks for driving this, Dian.
>>>>>
>>>>> +1 from me, for the reasons I mentioned in the discussion thread.
>>>>>
>>>>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <[hidden email]>
>> wrote:
>>>>>
>>>>>> NOTE: Only PMC votes is binding.
>>>>>>
>>>>>> Thanks for sharing your thoughts. I also think that this doesn't fall
>> into
>>>>>> any of the existing categories listed in the bylaws. Maybe we could
>> do some
>>>>>> improvements for the bylaws.
>>>>>>
>>>>>> This is not codebase change as Robert mentioned and it's related to
>> how to
>>>>>> manage Flink's development in a good way. So, I agree with Robert and
>>>>>> Jincheng that this VOTE should only count PMC votes for now.
>>>>>>
>>>>>> Thanks,
>>>>>> Dian
>>>>>>
>>>>>>> 在 2019年11月26日，上午11:43，jincheng sun <[hidden email]> 写道：
>>>>>>>
>>>>>>> I also think that we should only count PMC votes.
>>>>>>>
>>>>>>> This ML is to improve the security mechanism for Flink. Of course we
>>>>>> don't
>>>>>>> expect to use this
>>>>>>> ML often. I hope that it's perfect if this ML is never used.
>> However, the
>>>>>>> Flink community is growing rapidly, it's better to
>>>>>>> make our security mechanism as convenient as possible. But I agree
>> that
>>>>>>> this ML is not a must to have, it's nice to have.
>>>>>>>
>>>>>>> So, I give the vote as +1(binding).
>>>>>>>
>>>>>>> Best,
>>>>>>> Jincheng
>>>>>>>
>>>>>>> Robert Metzger <[hidden email]> 于2019年11月25日周一 下午9:45写道：
>>>>>>>
>>>>>>>> I agree that we are only counting PMC votes (because this decision
>> goes
>>>>>>>> beyond the codebase)
>>>>>>>>
>>>>>>>> I'm undecided what to vote :) I'm not against setting up a new
>> mailing
>>>>>>>> list, but I also don't think the benefit (having a private list with
>>>>>> PMC +
>>>>>>>> committers) is enough to justify the work involved. As far as I
>>>>>> remember,
>>>>>>>> we have received 2 security issue notices, both basically about the
>> same
>>>>>>>> issue.  I'll leave it to other PMC members to support this if they
>> want
>>>>>> to
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz <
>>>>>> [hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> What is the voting scheme for it? I am not sure if it falls into
>> any of
>>>>>>>>> the categories we have listed in our bylaws. Are committers votes
>>>>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is
>> this
>>>>>> a
>>>>>>>>> binding vote or just an informational vote?
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>>
>>>>>>>>> Dawid
>>>>>>>>>
>>>>>>>>> On 25/11/2019 07:34, jincheng sun wrote:
>>>>>>>>>> +1
>>>>>>>>>>
>>>>>>>>>> Dian Fu <[hidden email]> 于2019年11月21日周四 下午4:11写道：
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> According to our previous discussion in [1], I'd like to bring
>> up a
>>>>>>>> vote
>>>>>>>>>>> to set up a [hidden email] mailing list.
>>>>>>>>>>>
>>>>>>>>>>> The vote will be open for at least 72 hours (excluding weekend).
>> I'll
>>>>>>>>> try
>>>>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an
>> objection or
>>>>>>>> not
>>>>>>>>>>> enough votes.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Dian
>>>>>>>>>>>
>>>>>>>>>>> [1]
>>>>>>>>>>>
>>>>>>
>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951
>>>>>>>>>
>>>>>>
>>>>
>>>
>>
>>