You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@calcite.apache.org by "Julian Hyde (JIRA)" <ji...@apache.org> on 2016/08/24 01:55:21 UTC

[jira] [Commented] (CALCITE-1359) Document how users can log security issues against Calcite and Avatica

    [ https://issues.apache.org/jira/browse/CALCITE-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15434054#comment-15434054 ] 

Julian Hyde commented on CALCITE-1359:
--------------------------------------

I did a quick survey, and it seems that [most projects do not have a security team|http://www.apache.org/security/projects.html], which means that vulnerabilities should be reported to security@apache.org. Of the projects that do, Kafka seems a good model to follow; [its security page|http://kafka.apache.org/project-security.html] is simple and clear. 

> Document how users can log security issues against Calcite and Avatica
> ----------------------------------------------------------------------
>
>                 Key: CALCITE-1359
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1359
>             Project: Calcite
>          Issue Type: Bug
>            Reporter: Julian Hyde
>            Assignee: Julian Hyde
>
> Apache requires that projects document how to log security issues. Neither Calcite nor Avatica has that currently.
> Dev list and JIRA do not seem appropriate since they are public. Is the private list suitable? I don't want to create a new list, since the volume of security issues is very small.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)