Security issue being ignored?

[airflowuser <ai...@protonmail.com.INVALID>]

Hi,
I noticed you opened a disccusion about the neccesity of Gitter...
I think the main problem is that unlike other open source projects with Airflow no one is monitoring the Jira. So people tend to report many stuff on the Gitter to get assistance. Sometimes answers are given but no one answer on the open tickets.

Other projects hosted on GitHub or others always have someone reviewing new tickets and tag them. On airflow any user tag any thing he wishes.. there are no priorities. There are open tickets for version 1.7 which will probebly stay there forever.

Airflow doesn't have this function in the team... no one monitor the Jira and so there are cases like this:
[https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-1260](https://deref-gmx.com/mail/client/dzTsJ-2uKlU/dereferrer/?redirectUrl=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FAIRFLOW%2Fissues%2FAIRFLOW-1260)
A report of security issue where no one see that. This could be nothing or it could be sirious but I think the Jira should be more than just a place to paste you commit notices.
In other projects the comunnity handle security issues asap... no one wants his project to be hacked.

May I suggest that the Jira is not very user-firendly... I think the GitHub issues section (which is disabled in this project) is better for discussion and bug reports. This can be used for questions as well and can also replace the Gitter.
I noticed that many people submit PR and only then there is a disccution about the implemntation - the disscution should be done before... not eveyone are on mailing lists.. especialy new developers - you are limiting access to the project with this approch. See how many open PR are from 2017,2016...
It's easier for first time commiters to choose a ticket which it's taged as "easy fix" and there was a disscution on it..

Thanks,

Re: Security issue being ignored?

[Bolke de Bruin <bd...@gmail.com>]

Both are not security vulnerabilities: either it is in an upstream project or it is due to the way Airflow can be used. PR is welcome for the second JIRA.

B.

Verstuurd vanaf mijn iPad

> Op 6 sep. 2018 om 11:07 heeft airflowuser <ai...@protonmail.com.INVALID> het volgende geschreven:
> 
> Another example:
> https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-2283
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On September 3, 2018 10:20 AM, airflowuser <ai...@protonmail.com> wrote:
>> 
>> Hi,
>> I noticed you opened a disccusion about the neccesity of Gitter...
>> I think the main problem is that unlike other open source projects with Airflow no one is monitoring the Jira. So people tend to report many stuff on the Gitter to get assistance. Sometimes answers are given but no one answer on the open tickets.
>> 
>> Other projects hosted on GitHub or others always have someone reviewing new tickets and tag them. On airflow any user tag any thing he wishes.. there are no priorities. There are open tickets for version 1.7 which will probebly stay there forever.
>> 
>> Airflow doesn't have this function in the team... no one monitor the Jira and so there are cases like this:
>> [https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-1260](https://deref-gmx.com/mail/client/dzTsJ-2uKlU/dereferrer/?redirectUrl=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FAIRFLOW%2Fissues%2FAIRFLOW-1260)
>> A report of security issue where no one see that. This could be nothing or it could be sirious but I think the Jira should be more than just a place to paste you commit notices.
>> In other projects the comunnity handle security issues asap... no one wants his project to be hacked.
>> 
>> May I suggest that the Jira is not very user-firendly... I think the GitHub issues section (which is disabled in this project) is better for discussion and bug reports. This can be used for questions as well and can also replace the Gitter.
>> I noticed that many people submit PR and only then there is a disccution about the implemntation - the disscution should be done before... not eveyone are on mailing lists.. especialy new developers - you are limiting access to the project with this approch. See how many open PR are from 2017,2016...
>> It's easier for first time commiters to choose a ticket which it's taged as "easy fix" and there was a disscution on it..
>> 
>> Thanks,

Re: Security issue being ignored?

[airflowuser <ai...@protonmail.com.INVALID>]

Another example:
https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-2283

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On September 3, 2018 10:20 AM, airflowuser <ai...@protonmail.com> wrote:

> Hi,
> I noticed you opened a disccusion about the neccesity of Gitter...
> I think the main problem is that unlike other open source projects with Airflow no one is monitoring the Jira. So people tend to report many stuff on the Gitter to get assistance. Sometimes answers are given but no one answer on the open tickets.
>
> Other projects hosted on GitHub or others always have someone reviewing new tickets and tag them. On airflow any user tag any thing he wishes.. there are no priorities. There are open tickets for version 1.7 which will probebly stay there forever.
>
> Airflow doesn't have this function in the team... no one monitor the Jira and so there are cases like this:
> [https://issues.apache.org/jira/projects/AIRFLOW/issues/AIRFLOW-1260](https://deref-gmx.com/mail/client/dzTsJ-2uKlU/dereferrer/?redirectUrl=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FAIRFLOW%2Fissues%2FAIRFLOW-1260)
> A report of security issue where no one see that. This could be nothing or it could be sirious but I think the Jira should be more than just a place to paste you commit notices.
> In other projects the comunnity handle security issues asap... no one wants his project to be hacked.
>
> May I suggest that the Jira is not very user-firendly... I think the GitHub issues section (which is disabled in this project) is better for discussion and bug reports. This can be used for questions as well and can also replace the Gitter.
> I noticed that many people submit PR and only then there is a disccution about the implemntation - the disscution should be done before... not eveyone are on mailing lists.. especialy new developers - you are limiting access to the project with this approch. See how many open PR are from 2017,2016...
> It's easier for first time commiters to choose a ticket which it's taged as "easy fix" and there was a disscution on it..
>
> Thanks,