You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by Dian Fu <di...@gmail.com> on 2019/12/04 03:45:24 UTC
Re: [DISCUSS] Expose or setup a security@flink.apache.org mailing
list for security report and discussion
Hi all,
Just sync the results of the vote for setup a mailing list security@f.a.o
that it has been rejected [1].
Another very important thing is that all the people agree that there should
be a guideline on how to report security issues in Flink website. Do you
think we should bring up a separate discussion/vote thread? If so, I will
do that. Personally I think that discussing on the PR is enough. What do
you think?
I have created a PR [2]. Appreciate if you can take a look at.
Regards,
Dian
[1]
http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/VOTE-Setup-a-security-flink-apache-org-mailing-list-tt35205.html
[2] https://github.com/apache/flink-web/pull/287
On Thu, Nov 21, 2019 at 3:58 PM Dian Fu <di...@gmail.com> wrote:
> Hi all,
>
> There are no new feedbacks and it seems that we have received enough
> feedback about setup a security@flink.apache.org mailing list[1] for
> security report and discussion. It shows that it's optional as we can use
> either security@flink.apache.org or security@apache.org. So I'd like to
> start the vote for setup a security@flink.apache.org mailing list to make
> the final decision.
>
> Thanks,
> Dian
>
> 在 2019年11月19日,下午6:06,Dian Fu <di...@gmail.com> 写道:
>
> Hi all,
>
> Thanks for sharing your thoughts. Appreciated! Let me try to summarize the
> information and thoughts received so far. Please feel free to let me know
> if there is anything wrong or missing.
>
> 1. Setup project specific security mailing list
> Pros:
> - The security reports received by security@apache.org will be forwarded
> to the project private(PMC) mailing list. Having a project specific
> security mailing list is helpful in cases when the best person to address
> the security issue is not a PMC member, but a committer. It makes things
> simple as everyone(both PMCs and committers) is on the same table.
> - Even though the security issues are usually rare, they could be
> devastating and thus need to be treated seriously.
> - Most notable apache projects such as apache common, hadoop, spark,
> kafka, hive, etc have a security specific mailing list.
>
> Cons:
> - The ASF security mailing list security@apache.org could be used if
> there is no project specific security mailing list.
> - The number of security reports is very low.
>
> Additional information:
> - Security mailing list could only be subscribed by PMCs and committers.
> However everyone could report security issues to the security mailing list.
>
>
> 2. Guide users to report the security issues
> Why:
> - Security vulnerabilities should not be publicly disclosed (e.g. via dev
> ML or JIRA) until the project has responded. We should guide users on how
> to report security issues in Flink website.
>
> How:
> - Option 1: Set up security@flink.apache.org and ask users to report
> security issues there
> - Option 2: Ask users to send security report to security@apache.org
> - Option 3: Ask users to send security report directly to
> private@flink.apache.org
>
>
> 3. Dedicated page to show the security vulnerabilities
> - We may need a dedicated security page to describe the CVE list on the
> Flink website.
>
> I think it makes sense to open separate discussion thread on 2) and 3).
> I'll create separate discussion thread for them. Let's focus on 1) in this
> thread.
>
> If there is no other feedback on 1), I'll bring up a VOTE for this
> discussion.
>
> What do you think?
>
> Thanks,
> Dian
>
> On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <be...@gmail.com> wrote:
>
>> Thanks for bringing this up, Dian.
>>
>> +1 on creating a project specific security mailing list. My two cents, I
>> think it is worth doing in practice.
>>
>> Although the ASF security ML is always available, usually all the emails
>> are simply routed to the individual project PMC. This is an additional
>> hop.
>> And in some cases, the best person to address the reported issue may not
>> be
>> a PMC member, but a committer, so the PMC have to again involve them into
>> the loop. This make things unnecessarily complicated. Having a project
>> specific security ML would make it much easier to have everyone at the
>> same
>> table.
>>
>> Also, one thing to note is that even though the security issues are
>> usually
>> rare, they could be devastating, thus need to be treated seriously. So I
>> think it is a good idea to establish the handling mechanism regardless of
>> the frequency of the reported security vulnerabilities.
>>
>> Thanks,
>>
>> Jiangjie (Becket) Qin
>>
>> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <ca...@gmail.com> wrote:
>>
>> > Thanks for bringing up this discussion Dian! How to report security
>> bugs to
>> > our project is a very important topic!
>> >
>> > Big +1 on adding some explicit instructions in our document about how to
>> > report security issues, and I suggest to open another thread to vote the
>> > reporting way in Flink.
>> >
>> > FWIW, known options to report security issues include:
>> > 1. Set up security@flink.apache.org and ask users to report security
>> > issues
>> > there
>> > 2. Ask users to send security report to security@apache.org
>> > 3. Ask users to send security report directly to
>> private@flink.apache.org
>> >
>> > More details:
>> >
>> > Descriptions on http://apache.org/security/:
>> > *============================================*
>> >
>> > *We strongly encourage folks to report security vulnerabilities to one
>> of
>> > our private security mailing lists first, before disclosing them in a
>> > public forum.*
>> >
>> > *A list of security contacts for Apache projects
>> > <http://apache.org/security/projects.html> is available. If you can't
>> find
>> > a project specific security e-mail address and you have an undisclosed
>> > security vulnerability to report then please use the general security
>> > address below.*
>> >
>> >
>> > *The general security mailing list address is: security@apache.org
>> > <se...@apache.org>. This is a private mailing list.*
>> > *============================================*
>> >
>> > There are also projects directly using private@ mailing list to report
>> > security issues such as HBase (as documented at the very beginning in
>> its
>> > online ref-guide book here <http://hbase.apache.org/book.html#_preface
>> >).
>> >
>> > Hope these information helps. Thanks.
>> >
>> > Best Regards,
>> > Yu
>> >
>> >
>> > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ch...@apache.org>
>> wrote:
>> >
>> > > Source: https://www.apache.org/security/
>> > >
>> > > Now, we can of course setup such a mailing list (as outlined here
>> > > https://www.apache.org/security/committers.html), but I'm not sure
>> if it
>> > > is necessary since the number of reports is _really_ low.
>> > >
>> > > On 14/11/2019 11:03, Chesnay Schepler wrote:
>> > > > AFAIK, the official way to report vulnerabilities in any apache
>> > > > project is to write to security@apache.org and/or notify the
>> > > > respective PMC. So far, we had several reports that went this route,
>> > > > hence I'm not convinced that an additional ML is required.
>> > > >
>> > > > I would be fine with an additional paragraph somewhere outlining
>> this
>> > > > though.
>> > > >
>> > > > On 14/11/2019 06:57, Jark Wu wrote:
>> > > >> Hi Dian,
>> > > >>
>> > > >> Good idea and +1 to setup security mailing list.
>> > > >> Security vulnerabilities should not be publicly disclosed (e.g. via
>> > > >> dev ML
>> > > >> or JIRA) until the project has responded.
>> > > >> However, AFAIK, Flink doesn't have an official process to
>> > > >> report vulnerabilities.
>> > > >> It would be nice to have one to protect Flink users and response
>> > > >> security
>> > > >> problems quickly.
>> > > >>
>> > > >> Btw, we may also need a dedicated page to describe the security
>> > > >> vulnerabilities report process and CVE list on the website.
>> > > >>
>> > > >> Best,
>> > > >> Jark
>> > > >>
>> > > >>
>> > > >>
>> > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <ch...@gmail.com>
>> > wrote:
>> > > >>
>> > > >>> Hi Dian,
>> > > >>>
>> > > >>> Good idea! +1 to have a security mailing list.
>> > > >>> It is nice for Flink to have an official procedure to handle
>> security
>> > > >>> problems, e.g., reporting, addressing and publishing.
>> > > >>>
>> > > >>> Best, Hequn
>> > > >>>
>> > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zj...@gmail.com>
>> wrote:
>> > > >>>
>> > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail
>> > > >>>> list. To
>> > > >>> be
>> > > >>>> noticed, security mail list is private mail list, could not be
>> > > >>>> subscribed
>> > > >>>> publicly.
>> > > >>>> FYI, apache member can create mail list using this self service
>> tool
>> > > >>>> https://selfserve.apache.org/
>> > > >>>>
>> > > >>>>
>> > > >>>> jincheng sun <su...@gmail.com> 于2019年11月14日周四
>> > > >>>> 下午12:25写道:
>> > > >>>>
>> > > >>>>> Hi Dian,
>> > > >>>>>
>> > > >>>>> Thanks a lot for bringing up this discussion. This is very
>> > important
>> > > >>> for
>> > > >>>>> Flink community!
>> > > >>>>>
>> > > >>>>> I think setup a security mailing list for Flink is pretty nice
>> > > >>> although `
>> > > >>>>> security@apache.org` can be used and the report will be
>> forwarded
>> > to
>> > > >>>> Flink
>> > > >>>>> private mailing list if there is no project specific security
>> > mailing
>> > > >>>>> list. One thing that is pretty sure is that we should guide
>> users
>> > on
>> > > >>> how
>> > > >>>> to
>> > > >>>>> report security issues in Flink website as security
>> vulnerabilities
>> > > >>>> should
>> > > >>>>> not be entered into a project's public bug tracker directly
>> > according
>> > > >>> to
>> > > >>>>> the guidance for how to handling the security vulnerabilities in
>> > ASF
>> > > >>>>> site[1].
>> > > >>>>>
>> > > >>>>> Besides, we need also add a security page in Flink which shows
>> the
>> > > >>>>> information about the security vulnerabilities per the guidance
>> of
>> > > >>>>> the
>> > > >>>>> security vulnerabilities in ASF site[2]. Projects such as
>> spark[3],
>> > > >>>>> kafka[4], etc already have such a page.
>> > > >>>>>
>> > > >>>>> Best,Jincheng
>> > > >>>>>
>> > > >>>>> [1]
>> > > >>>>
>> > >
>> https://www.apache.org/security/committers.html#vulnerability-handling
>> > > >>>>> [2]
>> > > >>>>
>> > >
>> https://www.apache.org/security/committers.html#publishing-information
>> > > >>>>> [3] https://spark.apache.org/security.html
>> > > >>>>> [4] https://kafka.apache.org/cve-list
>> > > >>>>>
>> > > >>>>> Dian Fu <di...@gmail.com> 于2019年11月14日周四 下午12:12写道:
>> > > >>>>>
>> > > >>>>>> Hi all,
>> > > >>>>>>
>> > > >>>>>> I'm reaching out to see if there is an existing security
>> specific
>> > > >>>> mailing
>> > > >>>>>> list in Flink. If there is, we should expose it in the offcial
>> web
>> > > >>> site
>> > > >>>>> of
>> > > >>>>>> Flink [1] to guide people to report security issues to this
>> > mailing
>> > > >>>> list.
>> > > >>>>>> If it still doesn't exist, I'm here to propose to setup a
>> > > >>>>>> security@flink.apache.org mailing list for reporting and
>> > discussion
>> > > >>> of
>> > > >>>>>> security specific issues. Currently, most well known apache
>> > projects
>> > > >>>> such
>> > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6],
>> etc
>> > > >>> have a
>> > > >>>>>> security specific mailing list. It would be nice if there is
>> also
>> > a
>> > > >>>>>> security specific mailing list for Flink.
>> > > >>>>>>
>> > > >>>>>> Note that users should report security issues to the security
>> > > >>>>>> mailing
>> > > >>>>>> list.
>> > > >>>>>>
>> > > >>>>>> Looking forward to your feedback!
>> > > >>>>>>
>> > > >>>>>> Regards,
>> > > >>>>>> Dian
>> > > >>>>>>
>> > > >>>>>> [1] https://flink.apache.org/community.html
>> > > >>>>>> [2] https://commons.apache.org/mail-lists.html
>> > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>> > > >>>>>> [4] https://spark.apache.org/community.html
>> > > >>>>>> [5] https://kafka.apache.org/project-security.html
>> > > >>>>>> [6] https://hive.apache.org/mailing_lists.html
>> > > >>>>
>> > > >>>> --
>> > > >>>> Best Regards
>> > > >>>>
>> > > >>>> Jeff Zhang
>> > > >>>>
>> > > >
>> > > >
>> > >
>> > >
>> >
>>
>
>
Re: [DISCUSS] Expose or setup a security@flink.apache.org mailing
list for security report and discussion
Posted by Chesnay Schepler <ch...@apache.org>.
Turns out we already have a link to the Apache security page; in the
Apache section at the very bottom of the sidebar.
If I open the page it is unfortunately not visible...there are too many
things in the sidebar.
Nevertheless an additional entry as done in the PR cannot hurt. I'm
taking a look at it right now.
On 04/12/2019 04:45, Dian Fu wrote:
> Hi all,
>
> Just sync the results of the vote for setup a mailing list security@f.a.o
> that it has been rejected [1].
>
> Another very important thing is that all the people agree that there should
> be a guideline on how to report security issues in Flink website. Do you
> think we should bring up a separate discussion/vote thread? If so, I will
> do that. Personally I think that discussing on the PR is enough. What do
> you think?
>
> I have created a PR [2]. Appreciate if you can take a look at.
>
> Regards,
> Dian
>
> [1]
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/VOTE-Setup-a-security-flink-apache-org-mailing-list-tt35205.html
> [2] https://github.com/apache/flink-web/pull/287
>
> On Thu, Nov 21, 2019 at 3:58 PM Dian Fu <di...@gmail.com> wrote:
>
>> Hi all,
>>
>> There are no new feedbacks and it seems that we have received enough
>> feedback about setup a security@flink.apache.org mailing list[1] for
>> security report and discussion. It shows that it's optional as we can use
>> either security@flink.apache.org or security@apache.org. So I'd like to
>> start the vote for setup a security@flink.apache.org mailing list to make
>> the final decision.
>>
>> Thanks,
>> Dian
>>
>> 在 2019年11月19日,下午6:06,Dian Fu <di...@gmail.com> 写道:
>>
>> Hi all,
>>
>> Thanks for sharing your thoughts. Appreciated! Let me try to summarize the
>> information and thoughts received so far. Please feel free to let me know
>> if there is anything wrong or missing.
>>
>> 1. Setup project specific security mailing list
>> Pros:
>> - The security reports received by security@apache.org will be forwarded
>> to the project private(PMC) mailing list. Having a project specific
>> security mailing list is helpful in cases when the best person to address
>> the security issue is not a PMC member, but a committer. It makes things
>> simple as everyone(both PMCs and committers) is on the same table.
>> - Even though the security issues are usually rare, they could be
>> devastating and thus need to be treated seriously.
>> - Most notable apache projects such as apache common, hadoop, spark,
>> kafka, hive, etc have a security specific mailing list.
>>
>> Cons:
>> - The ASF security mailing list security@apache.org could be used if
>> there is no project specific security mailing list.
>> - The number of security reports is very low.
>>
>> Additional information:
>> - Security mailing list could only be subscribed by PMCs and committers.
>> However everyone could report security issues to the security mailing list.
>>
>>
>> 2. Guide users to report the security issues
>> Why:
>> - Security vulnerabilities should not be publicly disclosed (e.g. via dev
>> ML or JIRA) until the project has responded. We should guide users on how
>> to report security issues in Flink website.
>>
>> How:
>> - Option 1: Set up security@flink.apache.org and ask users to report
>> security issues there
>> - Option 2: Ask users to send security report to security@apache.org
>> - Option 3: Ask users to send security report directly to
>> private@flink.apache.org
>>
>>
>> 3. Dedicated page to show the security vulnerabilities
>> - We may need a dedicated security page to describe the CVE list on the
>> Flink website.
>>
>> I think it makes sense to open separate discussion thread on 2) and 3).
>> I'll create separate discussion thread for them. Let's focus on 1) in this
>> thread.
>>
>> If there is no other feedback on 1), I'll bring up a VOTE for this
>> discussion.
>>
>> What do you think?
>>
>> Thanks,
>> Dian
>>
>> On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <be...@gmail.com> wrote:
>>
>>> Thanks for bringing this up, Dian.
>>>
>>> +1 on creating a project specific security mailing list. My two cents, I
>>> think it is worth doing in practice.
>>>
>>> Although the ASF security ML is always available, usually all the emails
>>> are simply routed to the individual project PMC. This is an additional
>>> hop.
>>> And in some cases, the best person to address the reported issue may not
>>> be
>>> a PMC member, but a committer, so the PMC have to again involve them into
>>> the loop. This make things unnecessarily complicated. Having a project
>>> specific security ML would make it much easier to have everyone at the
>>> same
>>> table.
>>>
>>> Also, one thing to note is that even though the security issues are
>>> usually
>>> rare, they could be devastating, thus need to be treated seriously. So I
>>> think it is a good idea to establish the handling mechanism regardless of
>>> the frequency of the reported security vulnerabilities.
>>>
>>> Thanks,
>>>
>>> Jiangjie (Becket) Qin
>>>
>>> On Fri, Nov 15, 2019 at 1:14 AM Yu Li <ca...@gmail.com> wrote:
>>>
>>>> Thanks for bringing up this discussion Dian! How to report security
>>> bugs to
>>>> our project is a very important topic!
>>>>
>>>> Big +1 on adding some explicit instructions in our document about how to
>>>> report security issues, and I suggest to open another thread to vote the
>>>> reporting way in Flink.
>>>>
>>>> FWIW, known options to report security issues include:
>>>> 1. Set up security@flink.apache.org and ask users to report security
>>>> issues
>>>> there
>>>> 2. Ask users to send security report to security@apache.org
>>>> 3. Ask users to send security report directly to
>>> private@flink.apache.org
>>>> More details:
>>>>
>>>> Descriptions on http://apache.org/security/:
>>>> *============================================*
>>>>
>>>> *We strongly encourage folks to report security vulnerabilities to one
>>> of
>>>> our private security mailing lists first, before disclosing them in a
>>>> public forum.*
>>>>
>>>> *A list of security contacts for Apache projects
>>>> <http://apache.org/security/projects.html> is available. If you can't
>>> find
>>>> a project specific security e-mail address and you have an undisclosed
>>>> security vulnerability to report then please use the general security
>>>> address below.*
>>>>
>>>>
>>>> *The general security mailing list address is: security@apache.org
>>>> <se...@apache.org>. This is a private mailing list.*
>>>> *============================================*
>>>>
>>>> There are also projects directly using private@ mailing list to report
>>>> security issues such as HBase (as documented at the very beginning in
>>> its
>>>> online ref-guide book here <http://hbase.apache.org/book.html#_preface
>>>> ).
>>>>
>>>> Hope these information helps. Thanks.
>>>>
>>>> Best Regards,
>>>> Yu
>>>>
>>>>
>>>> On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>>> Source: https://www.apache.org/security/
>>>>>
>>>>> Now, we can of course setup such a mailing list (as outlined here
>>>>> https://www.apache.org/security/committers.html), but I'm not sure
>>> if it
>>>>> is necessary since the number of reports is _really_ low.
>>>>>
>>>>> On 14/11/2019 11:03, Chesnay Schepler wrote:
>>>>>> AFAIK, the official way to report vulnerabilities in any apache
>>>>>> project is to write to security@apache.org and/or notify the
>>>>>> respective PMC. So far, we had several reports that went this route,
>>>>>> hence I'm not convinced that an additional ML is required.
>>>>>>
>>>>>> I would be fine with an additional paragraph somewhere outlining
>>> this
>>>>>> though.
>>>>>>
>>>>>> On 14/11/2019 06:57, Jark Wu wrote:
>>>>>>> Hi Dian,
>>>>>>>
>>>>>>> Good idea and +1 to setup security mailing list.
>>>>>>> Security vulnerabilities should not be publicly disclosed (e.g. via
>>>>>>> dev ML
>>>>>>> or JIRA) until the project has responded.
>>>>>>> However, AFAIK, Flink doesn't have an official process to
>>>>>>> report vulnerabilities.
>>>>>>> It would be nice to have one to protect Flink users and response
>>>>>>> security
>>>>>>> problems quickly.
>>>>>>>
>>>>>>> Btw, we may also need a dedicated page to describe the security
>>>>>>> vulnerabilities report process and CVE list on the website.
>>>>>>>
>>>>>>> Best,
>>>>>>> Jark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <ch...@gmail.com>
>>>> wrote:
>>>>>>>> Hi Dian,
>>>>>>>>
>>>>>>>> Good idea! +1 to have a security mailing list.
>>>>>>>> It is nice for Flink to have an official procedure to handle
>>> security
>>>>>>>> problems, e.g., reporting, addressing and publishing.
>>>>>>>>
>>>>>>>> Best, Hequn
>>>>>>>>
>>>>>>>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zj...@gmail.com>
>>> wrote:
>>>>>>>>> Thanks Dian Fu for this proposal. +1 for creating security mail
>>>>>>>>> list. To
>>>>>>>> be
>>>>>>>>> noticed, security mail list is private mail list, could not be
>>>>>>>>> subscribed
>>>>>>>>> publicly.
>>>>>>>>> FYI, apache member can create mail list using this self service
>>> tool
>>>>>>>>> https://selfserve.apache.org/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> jincheng sun <su...@gmail.com> 于2019年11月14日周四
>>>>>>>>> 下午12:25写道:
>>>>>>>>>
>>>>>>>>>> Hi Dian,
>>>>>>>>>>
>>>>>>>>>> Thanks a lot for bringing up this discussion. This is very
>>>> important
>>>>>>>> for
>>>>>>>>>> Flink community!
>>>>>>>>>>
>>>>>>>>>> I think setup a security mailing list for Flink is pretty nice
>>>>>>>> although `
>>>>>>>>>> security@apache.org` can be used and the report will be
>>> forwarded
>>>> to
>>>>>>>>> Flink
>>>>>>>>>> private mailing list if there is no project specific security
>>>> mailing
>>>>>>>>>> list. One thing that is pretty sure is that we should guide
>>> users
>>>> on
>>>>>>>> how
>>>>>>>>> to
>>>>>>>>>> report security issues in Flink website as security
>>> vulnerabilities
>>>>>>>>> should
>>>>>>>>>> not be entered into a project's public bug tracker directly
>>>> according
>>>>>>>> to
>>>>>>>>>> the guidance for how to handling the security vulnerabilities in
>>>> ASF
>>>>>>>>>> site[1].
>>>>>>>>>>
>>>>>>>>>> Besides, we need also add a security page in Flink which shows
>>> the
>>>>>>>>>> information about the security vulnerabilities per the guidance
>>> of
>>>>>>>>>> the
>>>>>>>>>> security vulnerabilities in ASF site[2]. Projects such as
>>> spark[3],
>>>>>>>>>> kafka[4], etc already have such a page.
>>>>>>>>>>
>>>>>>>>>> Best,Jincheng
>>>>>>>>>>
>>>>>>>>>> [1]
>>> https://www.apache.org/security/committers.html#vulnerability-handling
>>>>>>>>>> [2]
>>> https://www.apache.org/security/committers.html#publishing-information
>>>>>>>>>> [3] https://spark.apache.org/security.html
>>>>>>>>>> [4] https://kafka.apache.org/cve-list
>>>>>>>>>>
>>>>>>>>>> Dian Fu <di...@gmail.com> 于2019年11月14日周四 下午12:12写道:
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I'm reaching out to see if there is an existing security
>>> specific
>>>>>>>>> mailing
>>>>>>>>>>> list in Flink. If there is, we should expose it in the offcial
>>> web
>>>>>>>> site
>>>>>>>>>> of
>>>>>>>>>>> Flink [1] to guide people to report security issues to this
>>>> mailing
>>>>>>>>> list.
>>>>>>>>>>> If it still doesn't exist, I'm here to propose to setup a
>>>>>>>>>>> security@flink.apache.org mailing list for reporting and
>>>> discussion
>>>>>>>> of
>>>>>>>>>>> security specific issues. Currently, most well known apache
>>>> projects
>>>>>>>>> such
>>>>>>>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6],
>>> etc
>>>>>>>> have a
>>>>>>>>>>> security specific mailing list. It would be nice if there is
>>> also
>>>> a
>>>>>>>>>>> security specific mailing list for Flink.
>>>>>>>>>>>
>>>>>>>>>>> Note that users should report security issues to the security
>>>>>>>>>>> mailing
>>>>>>>>>>> list.
>>>>>>>>>>>
>>>>>>>>>>> Looking forward to your feedback!
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Dian
>>>>>>>>>>>
>>>>>>>>>>> [1] https://flink.apache.org/community.html
>>>>>>>>>>> [2] https://commons.apache.org/mail-lists.html
>>>>>>>>>>> [3] https://hadoop.apache.org/mailing_lists.html
>>>>>>>>>>> [4] https://spark.apache.org/community.html
>>>>>>>>>>> [5] https://kafka.apache.org/project-security.html
>>>>>>>>>>> [6] https://hive.apache.org/mailing_lists.html
>>>>>>>>> --
>>>>>>>>> Best Regards
>>>>>>>>>
>>>>>>>>> Jeff Zhang
>>>>>>>>>
>>>>>>
>>>>>
>>