Renaming repos and security concerns

[Justin Mclean <ju...@classsoftware.com>]

HI,

In the thread on guidelines for distributions I suggested some common naming to help with trademarks, branding and be in line with release policy.

There's a possible security issue here, as people could (in theory) take over the old name and put something malicious there if the old name was removed.

Can rename GitHub
https://help.github.com/articles/renaming-a-repository/

Can’t rename docker
https://success.docker.com/article/how-do-you-rename-a-docker-hub-repository

Can’t rename on NPM
Can’t rename but can deprecate and point to new one

Can rename on PiPy
Is possible but also supports deprecate. But best to use abandon feature and pick a replacement.

 I think we’re fine with:
- GitHub is OK as it controlled by INFRA
- Docker is OK as /u/apache is controlled by INFRA. Outside that space is a concern.
- NPM you can deprecate one and point to new one so no one can take the old package
- PiPy you can use abandon and point to a replacement so none can take the old package

Any other concerns?

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Renaming repos and security concerns

[Craig Russell <ap...@gmail.com>]

Hi Justin,

> On Feb 9, 2019, at 8:16 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> Hi,
> 
>> As I mentioned else-thread, I think the date should be the date the repository is moved to the Incubator, not the date the project is voted into the incubator. 
> 
> This seams reasonable but that not what has been happening in most cases, the repo get transferred and then unapproved release are made.

And I agree that once the repo is transferred, the project is under control of the PPMC and releases must then be approved by the PPMC and then the IPMC.
> 
> It may also make it hard for people outside that repo (including possibly some on the initial committers list) to get access if it’s under some corporations control.

And that's exactly what I would want. Granting access only to the "outside project committers" means that it's not under the control of the new PPMC. And releases in this phase of the project are not "approved Apache releases". Perfect.

Regards,

Craig

> 
> Thanks,
> Justin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org <ma...@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>

Re: Renaming repos and security concerns

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> As I mentioned else-thread, I think the date should be the date the repository is moved to the Incubator, not the date the project is voted into the incubator. 

This seams reasonable but that not what has been happening in most cases, the repo get transferred and then unapproved release are made.

It may also make it hard for people outside that repo (including possibly some on the initial committers list) to get access if it’s under some corporations control.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Renaming repos and security concerns

[Craig Russell <ap...@gmail.com>]

> On Feb 8, 2019, at 2:59 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> Hi,
> 
>> We need to make sure that pre-Apache releases whether source or binary are treated in a fair way.
> 
> As long are they are not in after the date of incubation and clearly marked I see no issues.

As I mentioned else-thread, I think the date should be the date the repository is moved to the Incubator, not the date the project is voted into the incubator. 

Craig
> 
>> An über-comment - let’s be exceedingly careful with time limits for “compliance”.
> 
> What do you suggest? If a podling is not following ASF release policy how long do we give them to fix that? IMO if the podling is dealing with it then all is OK, but we can’t wait for months while that is happening.
> 
>> I think it would be good to finalize proposed policies from master copies on the wiki.
> 
> Here you go. Feel free to edit. [1]
> 
> Thanks,
> Justin 
> 
> 1. https://wiki.apache.org/incubator/DistributionGuidelines

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org <ma...@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>

Re: Renaming repos and security concerns

[Greg Stein <gs...@gmail.com>]

Hehe... I think she just said "patches welcome" 😋

On Sat, Feb 9, 2019, 08:19 Myrle Krantz <myrle@apache.org wrote:

> I have no objections to you editing that into it.  I do however think it's
> important to explain the reasons for the rules together with the rules.
>
> Please note that I've mentioned legal jeopardy, so if you're going to
> "strengthen" the language you may need to delete existing text to avoid
> redundancy.  But again I have no objections to you doing that.
>
> Best Regards,
> Myrle
>
> On Sat, Feb 9, 2019 at 2:10 PM Justin Mclean <ju...@me.com> wrote:
>
> > Hi,
> >
> > > Thank you.  I've corrected some typos, and then added a motivation
> > > section.  Questions/comments/suggestions, as always, welcome.
> >
> > Thanks for edits but I think you missed the main reason, it's mostly
> about
> > the legal umbrella and protection we give our (P)PMC’s. If they do
> > something outside of what is prescribed then there are  possible
> > consequences. See [1] "Deviations from this policy may have an adverse
> > effect on the legal shield's effectiveness, or the insurance premiums
> > Apache pays to protect officers and directors, so are strongly
> discouraged
> > without prior, explicit board approval” While there is still a risk of
> > someone taking legal action that’s less likely.
> >
> > Thanks,
> > Justin
> >
> > 1. http://www.apache.org/legal/release-policy.html#why
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>

Re: Renaming repos and security concerns

[Myrle Krantz <my...@apache.org>]

I have no objections to you editing that into it.  I do however think it's
important to explain the reasons for the rules together with the rules.

Please note that I've mentioned legal jeopardy, so if you're going to
"strengthen" the language you may need to delete existing text to avoid
redundancy.  But again I have no objections to you doing that.

Best Regards,
Myrle

On Sat, Feb 9, 2019 at 2:10 PM Justin Mclean <ju...@me.com> wrote:

> Hi,
>
> > Thank you.  I've corrected some typos, and then added a motivation
> > section.  Questions/comments/suggestions, as always, welcome.
>
> Thanks for edits but I think you missed the main reason, it's mostly about
> the legal umbrella and protection we give our (P)PMC’s. If they do
> something outside of what is prescribed then there are  possible
> consequences. See [1] "Deviations from this policy may have an adverse
> effect on the legal shield's effectiveness, or the insurance premiums
> Apache pays to protect officers and directors, so are strongly discouraged
> without prior, explicit board approval” While there is still a risk of
> someone taking legal action that’s less likely.
>
> Thanks,
> Justin
>
> 1. http://www.apache.org/legal/release-policy.html#why
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Renaming repos and security concerns

[Justin Mclean <ju...@me.com>]

Hi,

> Thank you.  I've corrected some typos, and then added a motivation
> section.  Questions/comments/suggestions, as always, welcome.

Thanks for edits but I think you missed the main reason, it's mostly about the legal umbrella and protection we give our (P)PMC’s. If they do something outside of what is prescribed then there are  possible consequences. See [1] "Deviations from this policy may have an adverse effect on the legal shield's effectiveness, or the insurance premiums Apache pays to protect officers and directors, so are strongly discouraged without prior, explicit board approval” While there is still a risk of someone taking legal action that’s less likely.

Thanks,
Justin

1. http://www.apache.org/legal/release-policy.html#why
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Renaming repos and security concerns

[Myrle Krantz <my...@apache.org>]

Thank you.  I've corrected some typos, and then added a motivation
section.  Questions/comments/suggestions, as always, welcome.

Best Regards,
Myrle

On Fri, Feb 8, 2019 at 11:59 PM Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> > We need to make sure that pre-Apache releases whether source or binary
> are treated in a fair way.
>
> As long are they are not in after the date of incubation and clearly
> marked I see no issues.
>
> > An über-comment - let’s be exceedingly careful with time limits for
> “compliance”.
>
> What do you suggest? If a podling is not following ASF release policy how
> long do we give them to fix that? IMO if the podling is dealing with it
> then all is OK, but we can’t wait for months while that is happening.
>
> > I think it would be good to finalize proposed policies from master
> copies on the wiki.
>
> Here you go. Feel free to edit. [1]
>
> Thanks,
> Justin
>
> 1. https://wiki.apache.org/incubator/DistributionGuidelines

Re: Renaming repos and security concerns

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> We need to make sure that pre-Apache releases whether source or binary are treated in a fair way.

As long are they are not in after the date of incubation and clearly marked I see no issues.

> An über-comment - let’s be exceedingly careful with time limits for “compliance”.

What do you suggest? If a podling is not following ASF release policy how long do we give them to fix that? IMO if the podling is dealing with it then all is OK, but we can’t wait for months while that is happening.

> I think it would be good to finalize proposed policies from master copies on the wiki.

Here you go. Feel free to edit. [1]

Thanks,
Justin 

1. https://wiki.apache.org/incubator/DistributionGuidelines

Re: Renaming repos and security concerns

[Dave Fisher <da...@comcast.net>]

> On Feb 8, 2019, at 1:36 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> HI,
> 
> In the thread on guidelines for distributions I suggested some common naming to help with trademarks, branding and be in line with release policy.
> 
> There's a possible security issue here, as people could (in theory) take over the old name and put something malicious there if the old name was removed.
> 
> Can rename GitHub
> https://help.github.com/articles/renaming-a-repository/
> 
> Can’t rename docker
> https://success.docker.com/article/how-do-you-rename-a-docker-hub-repository
> 
> Can’t rename on NPM
> Can’t rename but can deprecate and point to new one
> 
> Can rename on PiPy
> Is possible but also supports deprecate. But best to use abandon feature and pick a replacement.
> 
> I think we’re fine with:
> - GitHub is OK as it controlled by INFRA
> - Docker is OK as /u/apache is controlled by INFRA. Outside that space is a concern.
> - NPM you can deprecate one and point to new one so no one can take the old package
> - PiPy you can use abandon and point to a replacement so none can take the old package
> 
> Any other concerns?

We need to make sure that pre-Apache releases whether source or binary are treated in a fair way.

An über-comment - let’s be exceedingly careful with time limits for “compliance”.

I think it would be good to finalize proposed policies from master copies on the wiki.

Regards,
Dave


> 
> Thanks,
> Justin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org