[Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

*Rationale*

Over the course of the last decade the way software security is viewed has
changed. Solr has changed significantly over this time too and we have
gained some important security features and fixed a variety of
vulnerabilities. However, I think as a project we have not really developed
a clear vision of what our security goals and use cases are. I have
witnessed a fair bit of variability in the responses to security related
queries, and I think much of the variability comes from conflation among
"good practical advice", "somewhat dated advice" and "varying notions of
supported use cases". We also regularly receive reports to the
security@solr.apache.org address that involve investigations into systems
that are not properly secured to begin with or configured to explicitly
allow the dangerous behavior and it's a shame to see security researchers
waste their time on that. Finally, the PMC and set of people subscribed to
security@solr.apache.org is a large enough group that incoming mails often
seem to languish in a classic example of nobody having actual specific
responsibility for responding.

*Proposal*
The Solr PMC should appoint from among its members either 3 to 5
individuals to serve as a "security working group" Membership in the
"Security Working Group" requires subscribing to security@solr.apache.org,
and a 30 minute conference call once or twice a month. This working group
would have the following goals.

   1. Establish a relationship with someone who's core job function is
   computer security, rather than providing search (I'm hoping the ASF has
   some people who secure their systems that could be a resource). This person
   should be willing to offer a systems security perspective on our goals and
   the security functionality we provide.
   2. Develop a clear statement of the security use cases we would like to
   support, and exposition of some scenarios that are clearly out of scope.
   This results in a proposal to be discussed on the dev list and users list
   and eventually voted on.
   3. Identification of use cases we would like to support that are not yet
   supported, and publicize them to encourage these contributions.
   4. Review of documentation to ensure consistency with our current state
   (security only, perhaps annually?).
   5. Creation of a "security report checklist" that security researchers
   can self apply before they submit reports.
   6. Form letters for consistent response to reports that haven't passed
   the checklist.
   7. Provide consistent and prompt responses to possible
   vulnerabilities reported to security@apache.org. Those subscribed to
   security@solr.apache.org who are not in the working group should allow
   the working group time to respond before responding themselves.
   8. When asked, offer opinions on  proposed new security features
   regarding consistency with the goals (working group to discuss, return with
   an opinion, always publically and just as a voice in the conversation, not
   as any sort of veto/control, decisions are still up to the list of course).

NON-GOAL: The group is not responsible for fixing security bugs or adding
security features. (nothing stopping them of course, just not the point of
the group, which is a goal setting and consistency oriented group)

*Volunteer*

And to lower the barrier to things started, I volunteer to participate in
this WG for at least a year, and spend up to 2h/week on it. I don't think
any members should be expected to dedicate more than that to it, and
probably many weeks the time required should be less.

*Feedback*

Of course if you think this idea can be tweaked or improved, speak up! The
whole reason this is mailed to the dev list is to get broad feedback so
that we can implement the best improvements possible.

-Gus

Re: [Proposal] Security Working Group

[Houston Putman <ho...@apache.org>]

Very late response here, but I think this is an awesome idea. I can help
out as well, if we haven't already reached "too many cooks in the kitchen"
amount of members.

- Houston

On Fri, May 12, 2023 at 4:53 PM Gus Heck <gu...@gmail.com> wrote:

> Yes, I'd agree, if the person can be on the related mailing list, they can
> be in the working group.
>
> On Fri, May 12, 2023 at 1:50 PM Mike Drob <md...@mdrob.com> wrote:
>
> > Just a quick update here - it sounds like the project may opt to allow
> > committers (non-PMC members) to join the security list. Discussion here:
> > https://lists.apache.org/thread/k9rt56y3j4vd2gczbn257qf4x272vz1o
> >
> > I expect the same logic would apply to this WG.
> >
> > Mike
> >
> > On Tue, May 2, 2023 at 7:40 PM Gus Heck <gu...@gmail.com> wrote:
> >
> > > @Kevin, Cool, I think with 4-5 people volunteering this is a go, and
> > > perhaps the working group can do a quick kick off (30 min) online call
> > > somewhere around the 15th?
> > >
> > > @Marcus Please don't hesitate to suggest improvements (or implement
> > them!)
> > > Also feel 100% free to suggest improvements to my list of goals or
> > > brainstorm ideas to flesh them out. Happy to have community involvement
> > at
> > > all levels. The core idea of the working group is to get a few people
> > > invested in this particular aspect of solr and improve the timeliness
> and
> > > quality of our responses to reports. The more help we get the better.
> One
> > > of the best possible results would be if this got people thinking and
> we
> > > got more participation out of it.
> > >
> > > -Gus
> > >
> > > On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <ma...@gmail.com>
> > wrote:
> > >
> > > > Also happy to contribute from the outside, or one foot in rather :-)
> > > >
> > > > Security is my motivation for most of the work that I have done in
> the
> > > > project to date.
> > > >
> > > >
> > > > On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kr...@apache.org>
> > wrote:
> > > >
> > > > > I'm happy to contribute.
> > > > >
> > > > > Kevin Risden
> > > > >
> > > > >
> > > > > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> > > > > aarrieta@perrinsoftware.com> wrote:
> > > > >
> > > > > > Hi Gus,
> > > > > >
> > > > > > thx 4 clarification.
> > > > > > Well I need to work on those 2 requirements then :-)
> > > > > >
> > > > > > Thanks
> > > > > > Alejandro Arrieta
> > > > > >
> > > > > >
> > > > > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > Unfortunately, since part of the duties will be responding to
> the
> > > > > queries
> > > > > > > sent to security@solr.apache.org, one must be both a committer
> > > and a
> > > > > PMC
> > > > > > > member. However, I expect that this group will make suggestions
> > > about
> > > > > > > anything unrelated to un-announced security issues to the wider
> > > list
> > > > > for
> > > > > > a
> > > > > > > typical discussion/proposal/vote cycle.
> > > > > > >
> > > > > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > > > > > aarrieta@perrinsoftware.com> wrote:
> > > > > > >
> > > > > > > >  Hello Team,
> > > > > > > >
> > > > > > > > Do you need to be a committer to join the group?
> > > > > > > >
> > > > > > > > Kind Regards,
> > > > > > > > Alejandro Arrieta
> > > > > > > >
> > > > > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com>
> > > > wrote:
> > > > > > > >
> > > > > > > > > Cool that means so far we have:
> > > > > > > > >
> > > > > > > > >    1. Me (Gus Heck)
> > > > > > > > >    2. Jason Gerlowski
> > > > > > > > >    3. Mike Drob
> > > > > > > > >    4. (maybe?) David Smiley
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com>
> > > > wrote:
> > > > > > > > >
> > > > > > > > > > Howdy folks. I'd be happy to step into this working
> group.
> > > > > > > > > >
> > > > > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <
> > gus.heck@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Awesome, glad to have you Jason, I in the end feel the
> > same
> > > > way
> > > > > > > about
> > > > > > > > > my
> > > > > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly
> > > with
> > > > > "who
> > > > > > > > > thought
> > > > > > > > > > > about it some and has ideas" added. If we get more
> than 5
> > > > > > > volunteers
> > > > > > > > we
> > > > > > > > > > can
> > > > > > > > > > > start comparing credentials.
> > > > > > > > > > >
> > > > > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > > > > > gerlowskija@gmail.com>
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Hi Gus,
> > > > > > > > > > > >
> > > > > > > > > > > > I think this is a great idea.
> > > > > > > > > > > >
> > > > > > > > > > > > I don't have much security background that'd make me
> a
> > > > > > > particularly
> > > > > > > > > > > > good fit, but absent someone with that background
> > > stepping
> > > > > up,
> > > > > > > I'm
> > > > > > > > > > > > willing to volunteer for one of the spots.  (I'd be
> > more
> > > > than
> > > > > > > happy
> > > > > > > > > to
> > > > > > > > > > > > bow out if better qualified folks come along.)
> > > > > > > > > > > >
> > > > > > > > > > > > Best,
> > > > > > > > > > > >
> > > > > > > > > > > > Jason
> > > > > > > > > > > >
> > > > > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > > > > > dsmiley@apache.org
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > Pretty sleepy thread so far; apparently nobody else
> > is
> > > > > > > interested
> > > > > > > > > in
> > > > > > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > > > > > >
> > > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> > > > > gus.heck@gmail.com
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Thanks David. It would be great to have you if
> you
> > > can
> > > > > find
> > > > > > > > time
> > > > > > > > > > for
> > > > > > > > > > > > it. As
> > > > > > > > > > > > > > far as time commitment goes, I think it should
> > become
> > > > > > minimal
> > > > > > > > > > after a
> > > > > > > > > > > > while
> > > > > > > > > > > > > > unless we have a flood of security reports to
> > respond
> > > > to.
> > > > > > > For a
> > > > > > > > > > > little
> > > > > > > > > > > > > > while after initial organization, I think the
> > members
> > > > > will
> > > > > > > want
> > > > > > > > > to
> > > > > > > > > > > put
> > > > > > > > > > > > a
> > > > > > > > > > > > > > bit of effort into hitting some of the goals I
> > > > mentioned.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > > > > > dsmiley@apache.org>
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > This is a thoughtful organization attempt and
> > > > needed, I
> > > > > > > > think.
> > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > Gus!
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I want to see if I could get a security
> > > > > > specialist/engineer
> > > > > > > > > > where I
> > > > > > > > > > > > work
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > help us with this.  I'm tempted to say I'm
> > joining
> > > > this
> > > > > > > thing
> > > > > > > > > but
> > > > > > > > > > > I'm
> > > > > > > > > > > > > > weary
> > > > > > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > > > > > gus.heck@gmail.com
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > *Rationale*
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Over the course of the last decade the way
> > > software
> > > > > > > > security
> > > > > > > > > is
> > > > > > > > > > > > viewed
> > > > > > > > > > > > > > > has
> > > > > > > > > > > > > > > > changed. Solr has changed significantly over
> > this
> > > > > time
> > > > > > > too
> > > > > > > > > and
> > > > > > > > > > we
> > > > > > > > > > > > have
> > > > > > > > > > > > > > > > gained some important security features and
> > > fixed a
> > > > > > > variety
> > > > > > > > > of
> > > > > > > > > > > > > > > > vulnerabilities. However, I think as a
> project
> > we
> > > > > have
> > > > > > > not
> > > > > > > > > > really
> > > > > > > > > > > > > > > developed
> > > > > > > > > > > > > > > > a clear vision of what our security goals and
> > use
> > > > > cases
> > > > > > > > are.
> > > > > > > > > I
> > > > > > > > > > > have
> > > > > > > > > > > > > > > > witnessed a fair bit of variability in the
> > > > responses
> > > > > to
> > > > > > > > > > security
> > > > > > > > > > > > > > related
> > > > > > > > > > > > > > > > queries, and I think much of the variability
> > > comes
> > > > > from
> > > > > > > > > > > conflation
> > > > > > > > > > > > > > among
> > > > > > > > > > > > > > > > "good practical advice", "somewhat dated
> > advice"
> > > > and
> > > > > > > > "varying
> > > > > > > > > > > > notions
> > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > > supported use cases". We also regularly
> receive
> > > > > reports
> > > > > > > to
> > > > > > > > > the
> > > > > > > > > > > > > > > > security@solr.apache.org address that
> involve
> > > > > > > > investigations
> > > > > > > > > > > into
> > > > > > > > > > > > > > > systems
> > > > > > > > > > > > > > > > that are not properly secured to begin with
> or
> > > > > > configured
> > > > > > > > to
> > > > > > > > > > > > explicitly
> > > > > > > > > > > > > > > > allow the dangerous behavior and it's a shame
> > to
> > > > see
> > > > > > > > security
> > > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > > > waste their time on that. Finally, the PMC
> and
> > > set
> > > > of
> > > > > > > > people
> > > > > > > > > > > > subscribed
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > security@solr.apache.org is a large enough
> > group
> > > > > that
> > > > > > > > > incoming
> > > > > > > > > > > > mails
> > > > > > > > > > > > > > > often
> > > > > > > > > > > > > > > > seem to languish in a classic example of
> nobody
> > > > > having
> > > > > > > > actual
> > > > > > > > > > > > specific
> > > > > > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > > > > > The Solr PMC should appoint from among its
> > > members
> > > > > > > either 3
> > > > > > > > > to
> > > > > > > > > > 5
> > > > > > > > > > > > > > > > individuals to serve as a "security working
> > > group"
> > > > > > > > Membership
> > > > > > > > > > in
> > > > > > > > > > > > the
> > > > > > > > > > > > > > > > "Security Working Group" requires subscribing
> > to
> > > > > > > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > > > > > > and a 30 minute conference call once or
> twice a
> > > > > month.
> > > > > > > This
> > > > > > > > > > > working
> > > > > > > > > > > > > > group
> > > > > > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >    1. Establish a relationship with someone
> > who's
> > > > > core
> > > > > > > job
> > > > > > > > > > > > function is
> > > > > > > > > > > > > > > >    computer security, rather than providing
> > > search
> > > > > (I'm
> > > > > > > > > hoping
> > > > > > > > > > > the
> > > > > > > > > > > > ASF
> > > > > > > > > > > > > > > has
> > > > > > > > > > > > > > > >    some people who secure their systems that
> > > could
> > > > > be a
> > > > > > > > > > > resource).
> > > > > > > > > > > > This
> > > > > > > > > > > > > > > > person
> > > > > > > > > > > > > > > >    should be willing to offer a systems
> > security
> > > > > > > > perspective
> > > > > > > > > on
> > > > > > > > > > > our
> > > > > > > > > > > > > > goals
> > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > > > > > >    2. Develop a clear statement of the
> security
> > > use
> > > > > > cases
> > > > > > > > we
> > > > > > > > > > > would
> > > > > > > > > > > > like
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > >    support, and exposition of some scenarios
> > that
> > > > are
> > > > > > > > clearly
> > > > > > > > > > out
> > > > > > > > > > > > of
> > > > > > > > > > > > > > > scope.
> > > > > > > > > > > > > > > >    This results in a proposal to be discussed
> > on
> > > > the
> > > > > > dev
> > > > > > > > list
> > > > > > > > > > and
> > > > > > > > > > > > users
> > > > > > > > > > > > > > > > list
> > > > > > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > > > > > >    3. Identification of use cases we would
> like
> > > to
> > > > > > > support
> > > > > > > > > that
> > > > > > > > > > > > are not
> > > > > > > > > > > > > > > yet
> > > > > > > > > > > > > > > >    supported, and publicize them to encourage
> > > these
> > > > > > > > > > > contributions.
> > > > > > > > > > > > > > > >    4. Review of documentation to ensure
> > > consistency
> > > > > > with
> > > > > > > > our
> > > > > > > > > > > > current
> > > > > > > > > > > > > > > state
> > > > > > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > > > > > >    5. Creation of a "security report
> checklist"
> > > > that
> > > > > > > > security
> > > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > > > > > >    6. Form letters for consistent response to
> > > > reports
> > > > > > > that
> > > > > > > > > > > haven't
> > > > > > > > > > > > > > passed
> > > > > > > > > > > > > > > >    the checklist.
> > > > > > > > > > > > > > > >    7. Provide consistent and prompt responses
> > to
> > > > > > possible
> > > > > > > > > > > > > > > >    vulnerabilities reported to
> > > security@apache.org
> > > > .
> > > > > > > Those
> > > > > > > > > > > > subscribed
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > >    security@solr.apache.org who are not in
> the
> > > > > working
> > > > > > > > group
> > > > > > > > > > > > should
> > > > > > > > > > > > > > > allow
> > > > > > > > > > > > > > > >    the working group time to respond before
> > > > > responding
> > > > > > > > > > > themselves.
> > > > > > > > > > > > > > > >    8. When asked, offer opinions on  proposed
> > new
> > > > > > > security
> > > > > > > > > > > features
> > > > > > > > > > > > > > > >    regarding consistency with the goals
> > (working
> > > > > group
> > > > > > to
> > > > > > > > > > > discuss,
> > > > > > > > > > > > > > return
> > > > > > > > > > > > > > > > with
> > > > > > > > > > > > > > > >    an opinion, always publically and just as
> a
> > > > voice
> > > > > in
> > > > > > > the
> > > > > > > > > > > > > > conversation,
> > > > > > > > > > > > > > > > not
> > > > > > > > > > > > > > > >    as any sort of veto/control, decisions are
> > > still
> > > > > up
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > list
> > > > > > > > > > > > of
> > > > > > > > > > > > > > > > course).
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > NON-GOAL: The group is not responsible for
> > fixing
> > > > > > > security
> > > > > > > > > bugs
> > > > > > > > > > > or
> > > > > > > > > > > > > > adding
> > > > > > > > > > > > > > > > security features. (nothing stopping them of
> > > > course,
> > > > > > just
> > > > > > > > not
> > > > > > > > > > the
> > > > > > > > > > > > point
> > > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > > the group, which is a goal setting and
> > > consistency
> > > > > > > oriented
> > > > > > > > > > > group)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > And to lower the barrier to things started, I
> > > > > volunteer
> > > > > > > to
> > > > > > > > > > > > participate
> > > > > > > > > > > > > > in
> > > > > > > > > > > > > > > > this WG for at least a year, and spend up to
> > > > 2h/week
> > > > > on
> > > > > > > > it. I
> > > > > > > > > > > don't
> > > > > > > > > > > > > > think
> > > > > > > > > > > > > > > > any members should be expected to dedicate
> more
> > > > than
> > > > > > that
> > > > > > > > to
> > > > > > > > > > it,
> > > > > > > > > > > > and
> > > > > > > > > > > > > > > > probably many weeks the time required should
> be
> > > > less.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > *Feedback*
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Of course if you think this idea can be
> tweaked
> > > or
> > > > > > > > improved,
> > > > > > > > > > > speak
> > > > > > > > > > > > up!
> > > > > > > > > > > > > > > The
> > > > > > > > > > > > > > > > whole reason this is mailed to the dev list
> is
> > to
> > > > get
> > > > > > > broad
> > > > > > > > > > > > feedback so
> > > > > > > > > > > > > > > > that we can implement the best improvements
> > > > possible.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -Gus
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > >
> > > > ---------------------------------------------------------------------
> > > > > > > > > > > > To unsubscribe, e-mail:
> > dev-unsubscribe@solr.apache.org
> > > > > > > > > > > > For additional commands, e-mail:
> > > dev-help@solr.apache.org
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > http://www.the111shift.com (play)
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Marcus Eagan
> > > >
> > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

Yes, I'd agree, if the person can be on the related mailing list, they can
be in the working group.

On Fri, May 12, 2023 at 1:50 PM Mike Drob <md...@mdrob.com> wrote:

> Just a quick update here - it sounds like the project may opt to allow
> committers (non-PMC members) to join the security list. Discussion here:
> https://lists.apache.org/thread/k9rt56y3j4vd2gczbn257qf4x272vz1o
>
> I expect the same logic would apply to this WG.
>
> Mike
>
> On Tue, May 2, 2023 at 7:40 PM Gus Heck <gu...@gmail.com> wrote:
>
> > @Kevin, Cool, I think with 4-5 people volunteering this is a go, and
> > perhaps the working group can do a quick kick off (30 min) online call
> > somewhere around the 15th?
> >
> > @Marcus Please don't hesitate to suggest improvements (or implement
> them!)
> > Also feel 100% free to suggest improvements to my list of goals or
> > brainstorm ideas to flesh them out. Happy to have community involvement
> at
> > all levels. The core idea of the working group is to get a few people
> > invested in this particular aspect of solr and improve the timeliness and
> > quality of our responses to reports. The more help we get the better. One
> > of the best possible results would be if this got people thinking and we
> > got more participation out of it.
> >
> > -Gus
> >
> > On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <ma...@gmail.com>
> wrote:
> >
> > > Also happy to contribute from the outside, or one foot in rather :-)
> > >
> > > Security is my motivation for most of the work that I have done in the
> > > project to date.
> > >
> > >
> > > On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kr...@apache.org>
> wrote:
> > >
> > > > I'm happy to contribute.
> > > >
> > > > Kevin Risden
> > > >
> > > >
> > > > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> > > > aarrieta@perrinsoftware.com> wrote:
> > > >
> > > > > Hi Gus,
> > > > >
> > > > > thx 4 clarification.
> > > > > Well I need to work on those 2 requirements then :-)
> > > > >
> > > > > Thanks
> > > > > Alejandro Arrieta
> > > > >
> > > > >
> > > > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com>
> wrote:
> > > > >
> > > > > > Unfortunately, since part of the duties will be responding to the
> > > > queries
> > > > > > sent to security@solr.apache.org, one must be both a committer
> > and a
> > > > PMC
> > > > > > member. However, I expect that this group will make suggestions
> > about
> > > > > > anything unrelated to un-announced security issues to the wider
> > list
> > > > for
> > > > > a
> > > > > > typical discussion/proposal/vote cycle.
> > > > > >
> > > > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > > > > aarrieta@perrinsoftware.com> wrote:
> > > > > >
> > > > > > >  Hello Team,
> > > > > > >
> > > > > > > Do you need to be a committer to join the group?
> > > > > > >
> > > > > > > Kind Regards,
> > > > > > > Alejandro Arrieta
> > > > > > >
> > > > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > Cool that means so far we have:
> > > > > > > >
> > > > > > > >    1. Me (Gus Heck)
> > > > > > > >    2. Jason Gerlowski
> > > > > > > >    3. Mike Drob
> > > > > > > >    4. (maybe?) David Smiley
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com>
> > > wrote:
> > > > > > > >
> > > > > > > > > Howdy folks. I'd be happy to step into this working group.
> > > > > > > > >
> > > > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <
> gus.heck@gmail.com
> > >
> > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Awesome, glad to have you Jason, I in the end feel the
> same
> > > way
> > > > > > about
> > > > > > > > my
> > > > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly
> > with
> > > > "who
> > > > > > > > thought
> > > > > > > > > > about it some and has ideas" added. If we get more than 5
> > > > > > volunteers
> > > > > > > we
> > > > > > > > > can
> > > > > > > > > > start comparing credentials.
> > > > > > > > > >
> > > > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > > > > gerlowskija@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi Gus,
> > > > > > > > > > >
> > > > > > > > > > > I think this is a great idea.
> > > > > > > > > > >
> > > > > > > > > > > I don't have much security background that'd make me a
> > > > > > particularly
> > > > > > > > > > > good fit, but absent someone with that background
> > stepping
> > > > up,
> > > > > > I'm
> > > > > > > > > > > willing to volunteer for one of the spots.  (I'd be
> more
> > > than
> > > > > > happy
> > > > > > > > to
> > > > > > > > > > > bow out if better qualified folks come along.)
> > > > > > > > > > >
> > > > > > > > > > > Best,
> > > > > > > > > > >
> > > > > > > > > > > Jason
> > > > > > > > > > >
> > > > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > > > > dsmiley@apache.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > Pretty sleepy thread so far; apparently nobody else
> is
> > > > > > interested
> > > > > > > > in
> > > > > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > > > > >
> > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> > > > gus.heck@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Thanks David. It would be great to have you if you
> > can
> > > > find
> > > > > > > time
> > > > > > > > > for
> > > > > > > > > > > it. As
> > > > > > > > > > > > > far as time commitment goes, I think it should
> become
> > > > > minimal
> > > > > > > > > after a
> > > > > > > > > > > while
> > > > > > > > > > > > > unless we have a flood of security reports to
> respond
> > > to.
> > > > > > For a
> > > > > > > > > > little
> > > > > > > > > > > > > while after initial organization, I think the
> members
> > > > will
> > > > > > want
> > > > > > > > to
> > > > > > > > > > put
> > > > > > > > > > > a
> > > > > > > > > > > > > bit of effort into hitting some of the goals I
> > > mentioned.
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > > > > dsmiley@apache.org>
> > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > This is a thoughtful organization attempt and
> > > needed, I
> > > > > > > think.
> > > > > > > > > > > Thanks
> > > > > > > > > > > > > Gus!
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I want to see if I could get a security
> > > > > specialist/engineer
> > > > > > > > > where I
> > > > > > > > > > > work
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > help us with this.  I'm tempted to say I'm
> joining
> > > this
> > > > > > thing
> > > > > > > > but
> > > > > > > > > > I'm
> > > > > > > > > > > > > weary
> > > > > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > > > > gus.heck@gmail.com
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Rationale*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Over the course of the last decade the way
> > software
> > > > > > > security
> > > > > > > > is
> > > > > > > > > > > viewed
> > > > > > > > > > > > > > has
> > > > > > > > > > > > > > > changed. Solr has changed significantly over
> this
> > > > time
> > > > > > too
> > > > > > > > and
> > > > > > > > > we
> > > > > > > > > > > have
> > > > > > > > > > > > > > > gained some important security features and
> > fixed a
> > > > > > variety
> > > > > > > > of
> > > > > > > > > > > > > > > vulnerabilities. However, I think as a project
> we
> > > > have
> > > > > > not
> > > > > > > > > really
> > > > > > > > > > > > > > developed
> > > > > > > > > > > > > > > a clear vision of what our security goals and
> use
> > > > cases
> > > > > > > are.
> > > > > > > > I
> > > > > > > > > > have
> > > > > > > > > > > > > > > witnessed a fair bit of variability in the
> > > responses
> > > > to
> > > > > > > > > security
> > > > > > > > > > > > > related
> > > > > > > > > > > > > > > queries, and I think much of the variability
> > comes
> > > > from
> > > > > > > > > > conflation
> > > > > > > > > > > > > among
> > > > > > > > > > > > > > > "good practical advice", "somewhat dated
> advice"
> > > and
> > > > > > > "varying
> > > > > > > > > > > notions
> > > > > > > > > > > > > of
> > > > > > > > > > > > > > > supported use cases". We also regularly receive
> > > > reports
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > > > > > security@solr.apache.org address that involve
> > > > > > > investigations
> > > > > > > > > > into
> > > > > > > > > > > > > > systems
> > > > > > > > > > > > > > > that are not properly secured to begin with or
> > > > > configured
> > > > > > > to
> > > > > > > > > > > explicitly
> > > > > > > > > > > > > > > allow the dangerous behavior and it's a shame
> to
> > > see
> > > > > > > security
> > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > > waste their time on that. Finally, the PMC and
> > set
> > > of
> > > > > > > people
> > > > > > > > > > > subscribed
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > security@solr.apache.org is a large enough
> group
> > > > that
> > > > > > > > incoming
> > > > > > > > > > > mails
> > > > > > > > > > > > > > often
> > > > > > > > > > > > > > > seem to languish in a classic example of nobody
> > > > having
> > > > > > > actual
> > > > > > > > > > > specific
> > > > > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > > > > The Solr PMC should appoint from among its
> > members
> > > > > > either 3
> > > > > > > > to
> > > > > > > > > 5
> > > > > > > > > > > > > > > individuals to serve as a "security working
> > group"
> > > > > > > Membership
> > > > > > > > > in
> > > > > > > > > > > the
> > > > > > > > > > > > > > > "Security Working Group" requires subscribing
> to
> > > > > > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > > > > > and a 30 minute conference call once or twice a
> > > > month.
> > > > > > This
> > > > > > > > > > working
> > > > > > > > > > > > > group
> > > > > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >    1. Establish a relationship with someone
> who's
> > > > core
> > > > > > job
> > > > > > > > > > > function is
> > > > > > > > > > > > > > >    computer security, rather than providing
> > search
> > > > (I'm
> > > > > > > > hoping
> > > > > > > > > > the
> > > > > > > > > > > ASF
> > > > > > > > > > > > > > has
> > > > > > > > > > > > > > >    some people who secure their systems that
> > could
> > > > be a
> > > > > > > > > > resource).
> > > > > > > > > > > This
> > > > > > > > > > > > > > > person
> > > > > > > > > > > > > > >    should be willing to offer a systems
> security
> > > > > > > perspective
> > > > > > > > on
> > > > > > > > > > our
> > > > > > > > > > > > > goals
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > > > > >    2. Develop a clear statement of the security
> > use
> > > > > cases
> > > > > > > we
> > > > > > > > > > would
> > > > > > > > > > > like
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > >    support, and exposition of some scenarios
> that
> > > are
> > > > > > > clearly
> > > > > > > > > out
> > > > > > > > > > > of
> > > > > > > > > > > > > > scope.
> > > > > > > > > > > > > > >    This results in a proposal to be discussed
> on
> > > the
> > > > > dev
> > > > > > > list
> > > > > > > > > and
> > > > > > > > > > > users
> > > > > > > > > > > > > > > list
> > > > > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > > > > >    3. Identification of use cases we would like
> > to
> > > > > > support
> > > > > > > > that
> > > > > > > > > > > are not
> > > > > > > > > > > > > > yet
> > > > > > > > > > > > > > >    supported, and publicize them to encourage
> > these
> > > > > > > > > > contributions.
> > > > > > > > > > > > > > >    4. Review of documentation to ensure
> > consistency
> > > > > with
> > > > > > > our
> > > > > > > > > > > current
> > > > > > > > > > > > > > state
> > > > > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > > > > >    5. Creation of a "security report checklist"
> > > that
> > > > > > > security
> > > > > > > > > > > > > researchers
> > > > > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > > > > >    6. Form letters for consistent response to
> > > reports
> > > > > > that
> > > > > > > > > > haven't
> > > > > > > > > > > > > passed
> > > > > > > > > > > > > > >    the checklist.
> > > > > > > > > > > > > > >    7. Provide consistent and prompt responses
> to
> > > > > possible
> > > > > > > > > > > > > > >    vulnerabilities reported to
> > security@apache.org
> > > .
> > > > > > Those
> > > > > > > > > > > subscribed
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > >    security@solr.apache.org who are not in the
> > > > working
> > > > > > > group
> > > > > > > > > > > should
> > > > > > > > > > > > > > allow
> > > > > > > > > > > > > > >    the working group time to respond before
> > > > responding
> > > > > > > > > > themselves.
> > > > > > > > > > > > > > >    8. When asked, offer opinions on  proposed
> new
> > > > > > security
> > > > > > > > > > features
> > > > > > > > > > > > > > >    regarding consistency with the goals
> (working
> > > > group
> > > > > to
> > > > > > > > > > discuss,
> > > > > > > > > > > > > return
> > > > > > > > > > > > > > > with
> > > > > > > > > > > > > > >    an opinion, always publically and just as a
> > > voice
> > > > in
> > > > > > the
> > > > > > > > > > > > > conversation,
> > > > > > > > > > > > > > > not
> > > > > > > > > > > > > > >    as any sort of veto/control, decisions are
> > still
> > > > up
> > > > > to
> > > > > > > the
> > > > > > > > > > list
> > > > > > > > > > > of
> > > > > > > > > > > > > > > course).
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > NON-GOAL: The group is not responsible for
> fixing
> > > > > > security
> > > > > > > > bugs
> > > > > > > > > > or
> > > > > > > > > > > > > adding
> > > > > > > > > > > > > > > security features. (nothing stopping them of
> > > course,
> > > > > just
> > > > > > > not
> > > > > > > > > the
> > > > > > > > > > > point
> > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > the group, which is a goal setting and
> > consistency
> > > > > > oriented
> > > > > > > > > > group)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > And to lower the barrier to things started, I
> > > > volunteer
> > > > > > to
> > > > > > > > > > > participate
> > > > > > > > > > > > > in
> > > > > > > > > > > > > > > this WG for at least a year, and spend up to
> > > 2h/week
> > > > on
> > > > > > > it. I
> > > > > > > > > > don't
> > > > > > > > > > > > > think
> > > > > > > > > > > > > > > any members should be expected to dedicate more
> > > than
> > > > > that
> > > > > > > to
> > > > > > > > > it,
> > > > > > > > > > > and
> > > > > > > > > > > > > > > probably many weeks the time required should be
> > > less.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > *Feedback*
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Of course if you think this idea can be tweaked
> > or
> > > > > > > improved,
> > > > > > > > > > speak
> > > > > > > > > > > up!
> > > > > > > > > > > > > > The
> > > > > > > > > > > > > > > whole reason this is mailed to the dev list is
> to
> > > get
> > > > > > broad
> > > > > > > > > > > feedback so
> > > > > > > > > > > > > > > that we can implement the best improvements
> > > possible.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > -Gus
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > > > > > To unsubscribe, e-mail:
> dev-unsubscribe@solr.apache.org
> > > > > > > > > > > For additional commands, e-mail:
> > dev-help@solr.apache.org
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > http://www.the111shift.com (play)
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > http://www.needhamsoftware.com (work)
> > > > > > http://www.the111shift.com (play)
> > > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > > Marcus Eagan
> > >
> >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

[Mike Drob <md...@mdrob.com>]

Just a quick update here - it sounds like the project may opt to allow
committers (non-PMC members) to join the security list. Discussion here:
https://lists.apache.org/thread/k9rt56y3j4vd2gczbn257qf4x272vz1o

I expect the same logic would apply to this WG.

Mike

On Tue, May 2, 2023 at 7:40 PM Gus Heck <gu...@gmail.com> wrote:

> @Kevin, Cool, I think with 4-5 people volunteering this is a go, and
> perhaps the working group can do a quick kick off (30 min) online call
> somewhere around the 15th?
>
> @Marcus Please don't hesitate to suggest improvements (or implement them!)
> Also feel 100% free to suggest improvements to my list of goals or
> brainstorm ideas to flesh them out. Happy to have community involvement at
> all levels. The core idea of the working group is to get a few people
> invested in this particular aspect of solr and improve the timeliness and
> quality of our responses to reports. The more help we get the better. One
> of the best possible results would be if this got people thinking and we
> got more participation out of it.
>
> -Gus
>
> On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <ma...@gmail.com> wrote:
>
> > Also happy to contribute from the outside, or one foot in rather :-)
> >
> > Security is my motivation for most of the work that I have done in the
> > project to date.
> >
> >
> > On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kr...@apache.org> wrote:
> >
> > > I'm happy to contribute.
> > >
> > > Kevin Risden
> > >
> > >
> > > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> > > aarrieta@perrinsoftware.com> wrote:
> > >
> > > > Hi Gus,
> > > >
> > > > thx 4 clarification.
> > > > Well I need to work on those 2 requirements then :-)
> > > >
> > > > Thanks
> > > > Alejandro Arrieta
> > > >
> > > >
> > > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com> wrote:
> > > >
> > > > > Unfortunately, since part of the duties will be responding to the
> > > queries
> > > > > sent to security@solr.apache.org, one must be both a committer
> and a
> > > PMC
> > > > > member. However, I expect that this group will make suggestions
> about
> > > > > anything unrelated to un-announced security issues to the wider
> list
> > > for
> > > > a
> > > > > typical discussion/proposal/vote cycle.
> > > > >
> > > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > > > aarrieta@perrinsoftware.com> wrote:
> > > > >
> > > > > >  Hello Team,
> > > > > >
> > > > > > Do you need to be a committer to join the group?
> > > > > >
> > > > > > Kind Regards,
> > > > > > Alejandro Arrieta
> > > > > >
> > > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > Cool that means so far we have:
> > > > > > >
> > > > > > >    1. Me (Gus Heck)
> > > > > > >    2. Jason Gerlowski
> > > > > > >    3. Mike Drob
> > > > > > >    4. (maybe?) David Smiley
> > > > > > >
> > > > > > >
> > > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com>
> > wrote:
> > > > > > >
> > > > > > > > Howdy folks. I'd be happy to step into this working group.
> > > > > > > >
> > > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gus.heck@gmail.com
> >
> > > > wrote:
> > > > > > > >
> > > > > > > > > Awesome, glad to have you Jason, I in the end feel the same
> > way
> > > > > about
> > > > > > > my
> > > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly
> with
> > > "who
> > > > > > > thought
> > > > > > > > > about it some and has ideas" added. If we get more than 5
> > > > > volunteers
> > > > > > we
> > > > > > > > can
> > > > > > > > > start comparing credentials.
> > > > > > > > >
> > > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > > > gerlowskija@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi Gus,
> > > > > > > > > >
> > > > > > > > > > I think this is a great idea.
> > > > > > > > > >
> > > > > > > > > > I don't have much security background that'd make me a
> > > > > particularly
> > > > > > > > > > good fit, but absent someone with that background
> stepping
> > > up,
> > > > > I'm
> > > > > > > > > > willing to volunteer for one of the spots.  (I'd be more
> > than
> > > > > happy
> > > > > > > to
> > > > > > > > > > bow out if better qualified folks come along.)
> > > > > > > > > >
> > > > > > > > > > Best,
> > > > > > > > > >
> > > > > > > > > > Jason
> > > > > > > > > >
> > > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > > > dsmiley@apache.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > Pretty sleepy thread so far; apparently nobody else is
> > > > > interested
> > > > > > > in
> > > > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > > > >
> > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> > > gus.heck@gmail.com
> > > > >
> > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Thanks David. It would be great to have you if you
> can
> > > find
> > > > > > time
> > > > > > > > for
> > > > > > > > > > it. As
> > > > > > > > > > > > far as time commitment goes, I think it should become
> > > > minimal
> > > > > > > > after a
> > > > > > > > > > while
> > > > > > > > > > > > unless we have a flood of security reports to respond
> > to.
> > > > > For a
> > > > > > > > > little
> > > > > > > > > > > > while after initial organization, I think the members
> > > will
> > > > > want
> > > > > > > to
> > > > > > > > > put
> > > > > > > > > > a
> > > > > > > > > > > > bit of effort into hitting some of the goals I
> > mentioned.
> > > > > > > > > > > >
> > > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > > > dsmiley@apache.org>
> > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > This is a thoughtful organization attempt and
> > needed, I
> > > > > > think.
> > > > > > > > > > Thanks
> > > > > > > > > > > > Gus!
> > > > > > > > > > > > >
> > > > > > > > > > > > > I want to see if I could get a security
> > > > specialist/engineer
> > > > > > > > where I
> > > > > > > > > > work
> > > > > > > > > > > > to
> > > > > > > > > > > > > help us with this.  I'm tempted to say I'm joining
> > this
> > > > > thing
> > > > > > > but
> > > > > > > > > I'm
> > > > > > > > > > > > weary
> > > > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > > > >
> > > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > > > gus.heck@gmail.com
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > *Rationale*
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Over the course of the last decade the way
> software
> > > > > > security
> > > > > > > is
> > > > > > > > > > viewed
> > > > > > > > > > > > > has
> > > > > > > > > > > > > > changed. Solr has changed significantly over this
> > > time
> > > > > too
> > > > > > > and
> > > > > > > > we
> > > > > > > > > > have
> > > > > > > > > > > > > > gained some important security features and
> fixed a
> > > > > variety
> > > > > > > of
> > > > > > > > > > > > > > vulnerabilities. However, I think as a project we
> > > have
> > > > > not
> > > > > > > > really
> > > > > > > > > > > > > developed
> > > > > > > > > > > > > > a clear vision of what our security goals and use
> > > cases
> > > > > > are.
> > > > > > > I
> > > > > > > > > have
> > > > > > > > > > > > > > witnessed a fair bit of variability in the
> > responses
> > > to
> > > > > > > > security
> > > > > > > > > > > > related
> > > > > > > > > > > > > > queries, and I think much of the variability
> comes
> > > from
> > > > > > > > > conflation
> > > > > > > > > > > > among
> > > > > > > > > > > > > > "good practical advice", "somewhat dated advice"
> > and
> > > > > > "varying
> > > > > > > > > > notions
> > > > > > > > > > > > of
> > > > > > > > > > > > > > supported use cases". We also regularly receive
> > > reports
> > > > > to
> > > > > > > the
> > > > > > > > > > > > > > security@solr.apache.org address that involve
> > > > > > investigations
> > > > > > > > > into
> > > > > > > > > > > > > systems
> > > > > > > > > > > > > > that are not properly secured to begin with or
> > > > configured
> > > > > > to
> > > > > > > > > > explicitly
> > > > > > > > > > > > > > allow the dangerous behavior and it's a shame to
> > see
> > > > > > security
> > > > > > > > > > > > researchers
> > > > > > > > > > > > > > waste their time on that. Finally, the PMC and
> set
> > of
> > > > > > people
> > > > > > > > > > subscribed
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > security@solr.apache.org is a large enough group
> > > that
> > > > > > > incoming
> > > > > > > > > > mails
> > > > > > > > > > > > > often
> > > > > > > > > > > > > > seem to languish in a classic example of nobody
> > > having
> > > > > > actual
> > > > > > > > > > specific
> > > > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > > > The Solr PMC should appoint from among its
> members
> > > > > either 3
> > > > > > > to
> > > > > > > > 5
> > > > > > > > > > > > > > individuals to serve as a "security working
> group"
> > > > > > Membership
> > > > > > > > in
> > > > > > > > > > the
> > > > > > > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > > > > and a 30 minute conference call once or twice a
> > > month.
> > > > > This
> > > > > > > > > working
> > > > > > > > > > > > group
> > > > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >    1. Establish a relationship with someone who's
> > > core
> > > > > job
> > > > > > > > > > function is
> > > > > > > > > > > > > >    computer security, rather than providing
> search
> > > (I'm
> > > > > > > hoping
> > > > > > > > > the
> > > > > > > > > > ASF
> > > > > > > > > > > > > has
> > > > > > > > > > > > > >    some people who secure their systems that
> could
> > > be a
> > > > > > > > > resource).
> > > > > > > > > > This
> > > > > > > > > > > > > > person
> > > > > > > > > > > > > >    should be willing to offer a systems security
> > > > > > perspective
> > > > > > > on
> > > > > > > > > our
> > > > > > > > > > > > goals
> > > > > > > > > > > > > > and
> > > > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > > > >    2. Develop a clear statement of the security
> use
> > > > cases
> > > > > > we
> > > > > > > > > would
> > > > > > > > > > like
> > > > > > > > > > > > > to
> > > > > > > > > > > > > >    support, and exposition of some scenarios that
> > are
> > > > > > clearly
> > > > > > > > out
> > > > > > > > > > of
> > > > > > > > > > > > > scope.
> > > > > > > > > > > > > >    This results in a proposal to be discussed on
> > the
> > > > dev
> > > > > > list
> > > > > > > > and
> > > > > > > > > > users
> > > > > > > > > > > > > > list
> > > > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > > > >    3. Identification of use cases we would like
> to
> > > > > support
> > > > > > > that
> > > > > > > > > > are not
> > > > > > > > > > > > > yet
> > > > > > > > > > > > > >    supported, and publicize them to encourage
> these
> > > > > > > > > contributions.
> > > > > > > > > > > > > >    4. Review of documentation to ensure
> consistency
> > > > with
> > > > > > our
> > > > > > > > > > current
> > > > > > > > > > > > > state
> > > > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > > > >    5. Creation of a "security report checklist"
> > that
> > > > > > security
> > > > > > > > > > > > researchers
> > > > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > > > >    6. Form letters for consistent response to
> > reports
> > > > > that
> > > > > > > > > haven't
> > > > > > > > > > > > passed
> > > > > > > > > > > > > >    the checklist.
> > > > > > > > > > > > > >    7. Provide consistent and prompt responses to
> > > > possible
> > > > > > > > > > > > > >    vulnerabilities reported to
> security@apache.org
> > .
> > > > > Those
> > > > > > > > > > subscribed
> > > > > > > > > > > > to
> > > > > > > > > > > > > >    security@solr.apache.org who are not in the
> > > working
> > > > > > group
> > > > > > > > > > should
> > > > > > > > > > > > > allow
> > > > > > > > > > > > > >    the working group time to respond before
> > > responding
> > > > > > > > > themselves.
> > > > > > > > > > > > > >    8. When asked, offer opinions on  proposed new
> > > > > security
> > > > > > > > > features
> > > > > > > > > > > > > >    regarding consistency with the goals (working
> > > group
> > > > to
> > > > > > > > > discuss,
> > > > > > > > > > > > return
> > > > > > > > > > > > > > with
> > > > > > > > > > > > > >    an opinion, always publically and just as a
> > voice
> > > in
> > > > > the
> > > > > > > > > > > > conversation,
> > > > > > > > > > > > > > not
> > > > > > > > > > > > > >    as any sort of veto/control, decisions are
> still
> > > up
> > > > to
> > > > > > the
> > > > > > > > > list
> > > > > > > > > > of
> > > > > > > > > > > > > > course).
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > NON-GOAL: The group is not responsible for fixing
> > > > > security
> > > > > > > bugs
> > > > > > > > > or
> > > > > > > > > > > > adding
> > > > > > > > > > > > > > security features. (nothing stopping them of
> > course,
> > > > just
> > > > > > not
> > > > > > > > the
> > > > > > > > > > point
> > > > > > > > > > > > > of
> > > > > > > > > > > > > > the group, which is a goal setting and
> consistency
> > > > > oriented
> > > > > > > > > group)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > And to lower the barrier to things started, I
> > > volunteer
> > > > > to
> > > > > > > > > > participate
> > > > > > > > > > > > in
> > > > > > > > > > > > > > this WG for at least a year, and spend up to
> > 2h/week
> > > on
> > > > > > it. I
> > > > > > > > > don't
> > > > > > > > > > > > think
> > > > > > > > > > > > > > any members should be expected to dedicate more
> > than
> > > > that
> > > > > > to
> > > > > > > > it,
> > > > > > > > > > and
> > > > > > > > > > > > > > probably many weeks the time required should be
> > less.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > *Feedback*
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Of course if you think this idea can be tweaked
> or
> > > > > > improved,
> > > > > > > > > speak
> > > > > > > > > > up!
> > > > > > > > > > > > > The
> > > > > > > > > > > > > > whole reason this is mailed to the dev list is to
> > get
> > > > > broad
> > > > > > > > > > feedback so
> > > > > > > > > > > > > > that we can implement the best improvements
> > possible.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > -Gus
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > >
> > ---------------------------------------------------------------------
> > > > > > > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > > > > > > For additional commands, e-mail:
> dev-help@solr.apache.org
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > http://www.the111shift.com (play)
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://www.needhamsoftware.com (work)
> > > > > http://www.the111shift.com (play)
> > > > >
> > > >
> > >
> >
> >
> > --
> > Marcus Eagan
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

@Kevin, Cool, I think with 4-5 people volunteering this is a go, and
perhaps the working group can do a quick kick off (30 min) online call
somewhere around the 15th?

@Marcus Please don't hesitate to suggest improvements (or implement them!)
Also feel 100% free to suggest improvements to my list of goals or
brainstorm ideas to flesh them out. Happy to have community involvement at
all levels. The core idea of the working group is to get a few people
invested in this particular aspect of solr and improve the timeliness and
quality of our responses to reports. The more help we get the better. One
of the best possible results would be if this got people thinking and we
got more participation out of it.

-Gus

On Tue, May 2, 2023 at 7:19 PM Marcus Eagan <ma...@gmail.com> wrote:

> Also happy to contribute from the outside, or one foot in rather :-)
>
> Security is my motivation for most of the work that I have done in the
> project to date.
>
>
> On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kr...@apache.org> wrote:
>
> > I'm happy to contribute.
> >
> > Kevin Risden
> >
> >
> > On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> > aarrieta@perrinsoftware.com> wrote:
> >
> > > Hi Gus,
> > >
> > > thx 4 clarification.
> > > Well I need to work on those 2 requirements then :-)
> > >
> > > Thanks
> > > Alejandro Arrieta
> > >
> > >
> > > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com> wrote:
> > >
> > > > Unfortunately, since part of the duties will be responding to the
> > queries
> > > > sent to security@solr.apache.org, one must be both a committer and a
> > PMC
> > > > member. However, I expect that this group will make suggestions about
> > > > anything unrelated to un-announced security issues to the wider list
> > for
> > > a
> > > > typical discussion/proposal/vote cycle.
> > > >
> > > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > > aarrieta@perrinsoftware.com> wrote:
> > > >
> > > > >  Hello Team,
> > > > >
> > > > > Do you need to be a committer to join the group?
> > > > >
> > > > > Kind Regards,
> > > > > Alejandro Arrieta
> > > > >
> > > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com>
> wrote:
> > > > >
> > > > > > Cool that means so far we have:
> > > > > >
> > > > > >    1. Me (Gus Heck)
> > > > > >    2. Jason Gerlowski
> > > > > >    3. Mike Drob
> > > > > >    4. (maybe?) David Smiley
> > > > > >
> > > > > >
> > > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com>
> wrote:
> > > > > >
> > > > > > > Howdy folks. I'd be happy to step into this working group.
> > > > > > >
> > > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > Awesome, glad to have you Jason, I in the end feel the same
> way
> > > > about
> > > > > > my
> > > > > > > > spot. Mostly I qualify as "concerned citizen", possibly with
> > "who
> > > > > > thought
> > > > > > > > about it some and has ideas" added. If we get more than 5
> > > > volunteers
> > > > > we
> > > > > > > can
> > > > > > > > start comparing credentials.
> > > > > > > >
> > > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > > gerlowskija@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi Gus,
> > > > > > > > >
> > > > > > > > > I think this is a great idea.
> > > > > > > > >
> > > > > > > > > I don't have much security background that'd make me a
> > > > particularly
> > > > > > > > > good fit, but absent someone with that background stepping
> > up,
> > > > I'm
> > > > > > > > > willing to volunteer for one of the spots.  (I'd be more
> than
> > > > happy
> > > > > > to
> > > > > > > > > bow out if better qualified folks come along.)
> > > > > > > > >
> > > > > > > > > Best,
> > > > > > > > >
> > > > > > > > > Jason
> > > > > > > > >
> > > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > > dsmiley@apache.org
> > > > >
> > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > Pretty sleepy thread so far; apparently nobody else is
> > > > interested
> > > > > > in
> > > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > > >
> > > > > > > > > > ~ David Smiley
> > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> > gus.heck@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Thanks David. It would be great to have you if you can
> > find
> > > > > time
> > > > > > > for
> > > > > > > > > it. As
> > > > > > > > > > > far as time commitment goes, I think it should become
> > > minimal
> > > > > > > after a
> > > > > > > > > while
> > > > > > > > > > > unless we have a flood of security reports to respond
> to.
> > > > For a
> > > > > > > > little
> > > > > > > > > > > while after initial organization, I think the members
> > will
> > > > want
> > > > > > to
> > > > > > > > put
> > > > > > > > > a
> > > > > > > > > > > bit of effort into hitting some of the goals I
> mentioned.
> > > > > > > > > > >
> > > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > > dsmiley@apache.org>
> > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > This is a thoughtful organization attempt and
> needed, I
> > > > > think.
> > > > > > > > > Thanks
> > > > > > > > > > > Gus!
> > > > > > > > > > > >
> > > > > > > > > > > > I want to see if I could get a security
> > > specialist/engineer
> > > > > > > where I
> > > > > > > > > work
> > > > > > > > > > > to
> > > > > > > > > > > > help us with this.  I'm tempted to say I'm joining
> this
> > > > thing
> > > > > > but
> > > > > > > > I'm
> > > > > > > > > > > weary
> > > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > > >
> > > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > > gus.heck@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > *Rationale*
> > > > > > > > > > > > >
> > > > > > > > > > > > > Over the course of the last decade the way software
> > > > > security
> > > > > > is
> > > > > > > > > viewed
> > > > > > > > > > > > has
> > > > > > > > > > > > > changed. Solr has changed significantly over this
> > time
> > > > too
> > > > > > and
> > > > > > > we
> > > > > > > > > have
> > > > > > > > > > > > > gained some important security features and fixed a
> > > > variety
> > > > > > of
> > > > > > > > > > > > > vulnerabilities. However, I think as a project we
> > have
> > > > not
> > > > > > > really
> > > > > > > > > > > > developed
> > > > > > > > > > > > > a clear vision of what our security goals and use
> > cases
> > > > > are.
> > > > > > I
> > > > > > > > have
> > > > > > > > > > > > > witnessed a fair bit of variability in the
> responses
> > to
> > > > > > > security
> > > > > > > > > > > related
> > > > > > > > > > > > > queries, and I think much of the variability comes
> > from
> > > > > > > > conflation
> > > > > > > > > > > among
> > > > > > > > > > > > > "good practical advice", "somewhat dated advice"
> and
> > > > > "varying
> > > > > > > > > notions
> > > > > > > > > > > of
> > > > > > > > > > > > > supported use cases". We also regularly receive
> > reports
> > > > to
> > > > > > the
> > > > > > > > > > > > > security@solr.apache.org address that involve
> > > > > investigations
> > > > > > > > into
> > > > > > > > > > > > systems
> > > > > > > > > > > > > that are not properly secured to begin with or
> > > configured
> > > > > to
> > > > > > > > > explicitly
> > > > > > > > > > > > > allow the dangerous behavior and it's a shame to
> see
> > > > > security
> > > > > > > > > > > researchers
> > > > > > > > > > > > > waste their time on that. Finally, the PMC and set
> of
> > > > > people
> > > > > > > > > subscribed
> > > > > > > > > > > > to
> > > > > > > > > > > > > security@solr.apache.org is a large enough group
> > that
> > > > > > incoming
> > > > > > > > > mails
> > > > > > > > > > > > often
> > > > > > > > > > > > > seem to languish in a classic example of nobody
> > having
> > > > > actual
> > > > > > > > > specific
> > > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > > >
> > > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > > The Solr PMC should appoint from among its members
> > > > either 3
> > > > > > to
> > > > > > > 5
> > > > > > > > > > > > > individuals to serve as a "security working group"
> > > > > Membership
> > > > > > > in
> > > > > > > > > the
> > > > > > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > > > and a 30 minute conference call once or twice a
> > month.
> > > > This
> > > > > > > > working
> > > > > > > > > > > group
> > > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > > >
> > > > > > > > > > > > >    1. Establish a relationship with someone who's
> > core
> > > > job
> > > > > > > > > function is
> > > > > > > > > > > > >    computer security, rather than providing search
> > (I'm
> > > > > > hoping
> > > > > > > > the
> > > > > > > > > ASF
> > > > > > > > > > > > has
> > > > > > > > > > > > >    some people who secure their systems that could
> > be a
> > > > > > > > resource).
> > > > > > > > > This
> > > > > > > > > > > > > person
> > > > > > > > > > > > >    should be willing to offer a systems security
> > > > > perspective
> > > > > > on
> > > > > > > > our
> > > > > > > > > > > goals
> > > > > > > > > > > > > and
> > > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > > >    2. Develop a clear statement of the security use
> > > cases
> > > > > we
> > > > > > > > would
> > > > > > > > > like
> > > > > > > > > > > > to
> > > > > > > > > > > > >    support, and exposition of some scenarios that
> are
> > > > > clearly
> > > > > > > out
> > > > > > > > > of
> > > > > > > > > > > > scope.
> > > > > > > > > > > > >    This results in a proposal to be discussed on
> the
> > > dev
> > > > > list
> > > > > > > and
> > > > > > > > > users
> > > > > > > > > > > > > list
> > > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > > >    3. Identification of use cases we would like to
> > > > support
> > > > > > that
> > > > > > > > > are not
> > > > > > > > > > > > yet
> > > > > > > > > > > > >    supported, and publicize them to encourage these
> > > > > > > > contributions.
> > > > > > > > > > > > >    4. Review of documentation to ensure consistency
> > > with
> > > > > our
> > > > > > > > > current
> > > > > > > > > > > > state
> > > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > > >    5. Creation of a "security report checklist"
> that
> > > > > security
> > > > > > > > > > > researchers
> > > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > > >    6. Form letters for consistent response to
> reports
> > > > that
> > > > > > > > haven't
> > > > > > > > > > > passed
> > > > > > > > > > > > >    the checklist.
> > > > > > > > > > > > >    7. Provide consistent and prompt responses to
> > > possible
> > > > > > > > > > > > >    vulnerabilities reported to security@apache.org
> .
> > > > Those
> > > > > > > > > subscribed
> > > > > > > > > > > to
> > > > > > > > > > > > >    security@solr.apache.org who are not in the
> > working
> > > > > group
> > > > > > > > > should
> > > > > > > > > > > > allow
> > > > > > > > > > > > >    the working group time to respond before
> > responding
> > > > > > > > themselves.
> > > > > > > > > > > > >    8. When asked, offer opinions on  proposed new
> > > > security
> > > > > > > > features
> > > > > > > > > > > > >    regarding consistency with the goals (working
> > group
> > > to
> > > > > > > > discuss,
> > > > > > > > > > > return
> > > > > > > > > > > > > with
> > > > > > > > > > > > >    an opinion, always publically and just as a
> voice
> > in
> > > > the
> > > > > > > > > > > conversation,
> > > > > > > > > > > > > not
> > > > > > > > > > > > >    as any sort of veto/control, decisions are still
> > up
> > > to
> > > > > the
> > > > > > > > list
> > > > > > > > > of
> > > > > > > > > > > > > course).
> > > > > > > > > > > > >
> > > > > > > > > > > > > NON-GOAL: The group is not responsible for fixing
> > > > security
> > > > > > bugs
> > > > > > > > or
> > > > > > > > > > > adding
> > > > > > > > > > > > > security features. (nothing stopping them of
> course,
> > > just
> > > > > not
> > > > > > > the
> > > > > > > > > point
> > > > > > > > > > > > of
> > > > > > > > > > > > > the group, which is a goal setting and consistency
> > > > oriented
> > > > > > > > group)
> > > > > > > > > > > > >
> > > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > > >
> > > > > > > > > > > > > And to lower the barrier to things started, I
> > volunteer
> > > > to
> > > > > > > > > participate
> > > > > > > > > > > in
> > > > > > > > > > > > > this WG for at least a year, and spend up to
> 2h/week
> > on
> > > > > it. I
> > > > > > > > don't
> > > > > > > > > > > think
> > > > > > > > > > > > > any members should be expected to dedicate more
> than
> > > that
> > > > > to
> > > > > > > it,
> > > > > > > > > and
> > > > > > > > > > > > > probably many weeks the time required should be
> less.
> > > > > > > > > > > > >
> > > > > > > > > > > > > *Feedback*
> > > > > > > > > > > > >
> > > > > > > > > > > > > Of course if you think this idea can be tweaked or
> > > > > improved,
> > > > > > > > speak
> > > > > > > > > up!
> > > > > > > > > > > > The
> > > > > > > > > > > > > whole reason this is mailed to the dev list is to
> get
> > > > broad
> > > > > > > > > feedback so
> > > > > > > > > > > > > that we can implement the best improvements
> possible.
> > > > > > > > > > > > >
> > > > > > > > > > > > > -Gus
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > > > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > http://www.the111shift.com (play)
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > http://www.needhamsoftware.com (work)
> > > > > > http://www.the111shift.com (play)
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > http://www.needhamsoftware.com (work)
> > > > http://www.the111shift.com (play)
> > > >
> > >
> >
>
>
> --
> Marcus Eagan
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

[Marcus Eagan <ma...@gmail.com>]

Also happy to contribute from the outside, or one foot in rather :-)

Security is my motivation for most of the work that I have done in the
project to date.


On Tue, May 2, 2023 at 3:51 PM Kevin Risden <kr...@apache.org> wrote:

> I'm happy to contribute.
>
> Kevin Risden
>
>
> On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
> aarrieta@perrinsoftware.com> wrote:
>
> > Hi Gus,
> >
> > thx 4 clarification.
> > Well I need to work on those 2 requirements then :-)
> >
> > Thanks
> > Alejandro Arrieta
> >
> >
> > On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com> wrote:
> >
> > > Unfortunately, since part of the duties will be responding to the
> queries
> > > sent to security@solr.apache.org, one must be both a committer and a
> PMC
> > > member. However, I expect that this group will make suggestions about
> > > anything unrelated to un-announced security issues to the wider list
> for
> > a
> > > typical discussion/proposal/vote cycle.
> > >
> > > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > > aarrieta@perrinsoftware.com> wrote:
> > >
> > > >  Hello Team,
> > > >
> > > > Do you need to be a committer to join the group?
> > > >
> > > > Kind Regards,
> > > > Alejandro Arrieta
> > > >
> > > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com> wrote:
> > > >
> > > > > Cool that means so far we have:
> > > > >
> > > > >    1. Me (Gus Heck)
> > > > >    2. Jason Gerlowski
> > > > >    3. Mike Drob
> > > > >    4. (maybe?) David Smiley
> > > > >
> > > > >
> > > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:
> > > > >
> > > > > > Howdy folks. I'd be happy to step into this working group.
> > > > > >
> > > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > Awesome, glad to have you Jason, I in the end feel the same way
> > > about
> > > > > my
> > > > > > > spot. Mostly I qualify as "concerned citizen", possibly with
> "who
> > > > > thought
> > > > > > > about it some and has ideas" added. If we get more than 5
> > > volunteers
> > > > we
> > > > > > can
> > > > > > > start comparing credentials.
> > > > > > >
> > > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > > gerlowskija@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi Gus,
> > > > > > > >
> > > > > > > > I think this is a great idea.
> > > > > > > >
> > > > > > > > I don't have much security background that'd make me a
> > > particularly
> > > > > > > > good fit, but absent someone with that background stepping
> up,
> > > I'm
> > > > > > > > willing to volunteer for one of the spots.  (I'd be more than
> > > happy
> > > > > to
> > > > > > > > bow out if better qualified folks come along.)
> > > > > > > >
> > > > > > > > Best,
> > > > > > > >
> > > > > > > > Jason
> > > > > > > >
> > > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> > dsmiley@apache.org
> > > >
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > Pretty sleepy thread so far; apparently nobody else is
> > > interested
> > > > > in
> > > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > > >
> > > > > > > > > ~ David Smiley
> > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <
> gus.heck@gmail.com
> > >
> > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Thanks David. It would be great to have you if you can
> find
> > > > time
> > > > > > for
> > > > > > > > it. As
> > > > > > > > > > far as time commitment goes, I think it should become
> > minimal
> > > > > > after a
> > > > > > > > while
> > > > > > > > > > unless we have a flood of security reports to respond to.
> > > For a
> > > > > > > little
> > > > > > > > > > while after initial organization, I think the members
> will
> > > want
> > > > > to
> > > > > > > put
> > > > > > > > a
> > > > > > > > > > bit of effort into hitting some of the goals I mentioned.
> > > > > > > > > >
> > > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > > dsmiley@apache.org>
> > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > This is a thoughtful organization attempt and needed, I
> > > > think.
> > > > > > > > Thanks
> > > > > > > > > > Gus!
> > > > > > > > > > >
> > > > > > > > > > > I want to see if I could get a security
> > specialist/engineer
> > > > > > where I
> > > > > > > > work
> > > > > > > > > > to
> > > > > > > > > > > help us with this.  I'm tempted to say I'm joining this
> > > thing
> > > > > but
> > > > > > > I'm
> > > > > > > > > > weary
> > > > > > > > > > > of dedicating time per week.
> > > > > > > > > > >
> > > > > > > > > > > ~ David Smiley
> > > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > > gus.heck@gmail.com
> > > > >
> > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > *Rationale*
> > > > > > > > > > > >
> > > > > > > > > > > > Over the course of the last decade the way software
> > > > security
> > > > > is
> > > > > > > > viewed
> > > > > > > > > > > has
> > > > > > > > > > > > changed. Solr has changed significantly over this
> time
> > > too
> > > > > and
> > > > > > we
> > > > > > > > have
> > > > > > > > > > > > gained some important security features and fixed a
> > > variety
> > > > > of
> > > > > > > > > > > > vulnerabilities. However, I think as a project we
> have
> > > not
> > > > > > really
> > > > > > > > > > > developed
> > > > > > > > > > > > a clear vision of what our security goals and use
> cases
> > > > are.
> > > > > I
> > > > > > > have
> > > > > > > > > > > > witnessed a fair bit of variability in the responses
> to
> > > > > > security
> > > > > > > > > > related
> > > > > > > > > > > > queries, and I think much of the variability comes
> from
> > > > > > > conflation
> > > > > > > > > > among
> > > > > > > > > > > > "good practical advice", "somewhat dated advice" and
> > > > "varying
> > > > > > > > notions
> > > > > > > > > > of
> > > > > > > > > > > > supported use cases". We also regularly receive
> reports
> > > to
> > > > > the
> > > > > > > > > > > > security@solr.apache.org address that involve
> > > > investigations
> > > > > > > into
> > > > > > > > > > > systems
> > > > > > > > > > > > that are not properly secured to begin with or
> > configured
> > > > to
> > > > > > > > explicitly
> > > > > > > > > > > > allow the dangerous behavior and it's a shame to see
> > > > security
> > > > > > > > > > researchers
> > > > > > > > > > > > waste their time on that. Finally, the PMC and set of
> > > > people
> > > > > > > > subscribed
> > > > > > > > > > > to
> > > > > > > > > > > > security@solr.apache.org is a large enough group
> that
> > > > > incoming
> > > > > > > > mails
> > > > > > > > > > > often
> > > > > > > > > > > > seem to languish in a classic example of nobody
> having
> > > > actual
> > > > > > > > specific
> > > > > > > > > > > > responsibility for responding.
> > > > > > > > > > > >
> > > > > > > > > > > > *Proposal*
> > > > > > > > > > > > The Solr PMC should appoint from among its members
> > > either 3
> > > > > to
> > > > > > 5
> > > > > > > > > > > > individuals to serve as a "security working group"
> > > > Membership
> > > > > > in
> > > > > > > > the
> > > > > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > > and a 30 minute conference call once or twice a
> month.
> > > This
> > > > > > > working
> > > > > > > > > > group
> > > > > > > > > > > > would have the following goals.
> > > > > > > > > > > >
> > > > > > > > > > > >    1. Establish a relationship with someone who's
> core
> > > job
> > > > > > > > function is
> > > > > > > > > > > >    computer security, rather than providing search
> (I'm
> > > > > hoping
> > > > > > > the
> > > > > > > > ASF
> > > > > > > > > > > has
> > > > > > > > > > > >    some people who secure their systems that could
> be a
> > > > > > > resource).
> > > > > > > > This
> > > > > > > > > > > > person
> > > > > > > > > > > >    should be willing to offer a systems security
> > > > perspective
> > > > > on
> > > > > > > our
> > > > > > > > > > goals
> > > > > > > > > > > > and
> > > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > > >    2. Develop a clear statement of the security use
> > cases
> > > > we
> > > > > > > would
> > > > > > > > like
> > > > > > > > > > > to
> > > > > > > > > > > >    support, and exposition of some scenarios that are
> > > > clearly
> > > > > > out
> > > > > > > > of
> > > > > > > > > > > scope.
> > > > > > > > > > > >    This results in a proposal to be discussed on the
> > dev
> > > > list
> > > > > > and
> > > > > > > > users
> > > > > > > > > > > > list
> > > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > > >    3. Identification of use cases we would like to
> > > support
> > > > > that
> > > > > > > > are not
> > > > > > > > > > > yet
> > > > > > > > > > > >    supported, and publicize them to encourage these
> > > > > > > contributions.
> > > > > > > > > > > >    4. Review of documentation to ensure consistency
> > with
> > > > our
> > > > > > > > current
> > > > > > > > > > > state
> > > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > > >    5. Creation of a "security report checklist" that
> > > > security
> > > > > > > > > > researchers
> > > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > > >    6. Form letters for consistent response to reports
> > > that
> > > > > > > haven't
> > > > > > > > > > passed
> > > > > > > > > > > >    the checklist.
> > > > > > > > > > > >    7. Provide consistent and prompt responses to
> > possible
> > > > > > > > > > > >    vulnerabilities reported to security@apache.org.
> > > Those
> > > > > > > > subscribed
> > > > > > > > > > to
> > > > > > > > > > > >    security@solr.apache.org who are not in the
> working
> > > > group
> > > > > > > > should
> > > > > > > > > > > allow
> > > > > > > > > > > >    the working group time to respond before
> responding
> > > > > > > themselves.
> > > > > > > > > > > >    8. When asked, offer opinions on  proposed new
> > > security
> > > > > > > features
> > > > > > > > > > > >    regarding consistency with the goals (working
> group
> > to
> > > > > > > discuss,
> > > > > > > > > > return
> > > > > > > > > > > > with
> > > > > > > > > > > >    an opinion, always publically and just as a voice
> in
> > > the
> > > > > > > > > > conversation,
> > > > > > > > > > > > not
> > > > > > > > > > > >    as any sort of veto/control, decisions are still
> up
> > to
> > > > the
> > > > > > > list
> > > > > > > > of
> > > > > > > > > > > > course).
> > > > > > > > > > > >
> > > > > > > > > > > > NON-GOAL: The group is not responsible for fixing
> > > security
> > > > > bugs
> > > > > > > or
> > > > > > > > > > adding
> > > > > > > > > > > > security features. (nothing stopping them of course,
> > just
> > > > not
> > > > > > the
> > > > > > > > point
> > > > > > > > > > > of
> > > > > > > > > > > > the group, which is a goal setting and consistency
> > > oriented
> > > > > > > group)
> > > > > > > > > > > >
> > > > > > > > > > > > *Volunteer*
> > > > > > > > > > > >
> > > > > > > > > > > > And to lower the barrier to things started, I
> volunteer
> > > to
> > > > > > > > participate
> > > > > > > > > > in
> > > > > > > > > > > > this WG for at least a year, and spend up to 2h/week
> on
> > > > it. I
> > > > > > > don't
> > > > > > > > > > think
> > > > > > > > > > > > any members should be expected to dedicate more than
> > that
> > > > to
> > > > > > it,
> > > > > > > > and
> > > > > > > > > > > > probably many weeks the time required should be less.
> > > > > > > > > > > >
> > > > > > > > > > > > *Feedback*
> > > > > > > > > > > >
> > > > > > > > > > > > Of course if you think this idea can be tweaked or
> > > > improved,
> > > > > > > speak
> > > > > > > > up!
> > > > > > > > > > > The
> > > > > > > > > > > > whole reason this is mailed to the dev list is to get
> > > broad
> > > > > > > > feedback so
> > > > > > > > > > > > that we can implement the best improvements possible.
> > > > > > > > > > > >
> > > > > > > > > > > > -Gus
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > http://www.the111shift.com (play)
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://www.needhamsoftware.com (work)
> > > > > http://www.the111shift.com (play)
> > > > >
> > > >
> > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
> >
>


-- 
Marcus Eagan

Re: [Proposal] Security Working Group

[Kevin Risden <kr...@apache.org>]

I'm happy to contribute.

Kevin Risden


On Tue, May 2, 2023 at 3:47 PM Arrieta, Alejandro <
aarrieta@perrinsoftware.com> wrote:

> Hi Gus,
>
> thx 4 clarification.
> Well I need to work on those 2 requirements then :-)
>
> Thanks
> Alejandro Arrieta
>
>
> On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com> wrote:
>
> > Unfortunately, since part of the duties will be responding to the queries
> > sent to security@solr.apache.org, one must be both a committer and a PMC
> > member. However, I expect that this group will make suggestions about
> > anything unrelated to un-announced security issues to the wider list for
> a
> > typical discussion/proposal/vote cycle.
> >
> > On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> > aarrieta@perrinsoftware.com> wrote:
> >
> > >  Hello Team,
> > >
> > > Do you need to be a committer to join the group?
> > >
> > > Kind Regards,
> > > Alejandro Arrieta
> > >
> > > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com> wrote:
> > >
> > > > Cool that means so far we have:
> > > >
> > > >    1. Me (Gus Heck)
> > > >    2. Jason Gerlowski
> > > >    3. Mike Drob
> > > >    4. (maybe?) David Smiley
> > > >
> > > >
> > > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:
> > > >
> > > > > Howdy folks. I'd be happy to step into this working group.
> > > > >
> > > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com>
> wrote:
> > > > >
> > > > > > Awesome, glad to have you Jason, I in the end feel the same way
> > about
> > > > my
> > > > > > spot. Mostly I qualify as "concerned citizen", possibly with "who
> > > > thought
> > > > > > about it some and has ideas" added. If we get more than 5
> > volunteers
> > > we
> > > > > can
> > > > > > start comparing credentials.
> > > > > >
> > > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > > gerlowskija@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Hi Gus,
> > > > > > >
> > > > > > > I think this is a great idea.
> > > > > > >
> > > > > > > I don't have much security background that'd make me a
> > particularly
> > > > > > > good fit, but absent someone with that background stepping up,
> > I'm
> > > > > > > willing to volunteer for one of the spots.  (I'd be more than
> > happy
> > > > to
> > > > > > > bow out if better qualified folks come along.)
> > > > > > >
> > > > > > > Best,
> > > > > > >
> > > > > > > Jason
> > > > > > >
> > > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <
> dsmiley@apache.org
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > Pretty sleepy thread so far; apparently nobody else is
> > interested
> > > > in
> > > > > > > > talking about Solr security -- LOL ;-)
> > > > > > > >
> > > > > > > > ~ David Smiley
> > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gus.heck@gmail.com
> >
> > > > wrote:
> > > > > > > >
> > > > > > > > > Thanks David. It would be great to have you if you can find
> > > time
> > > > > for
> > > > > > > it. As
> > > > > > > > > far as time commitment goes, I think it should become
> minimal
> > > > > after a
> > > > > > > while
> > > > > > > > > unless we have a flood of security reports to respond to.
> > For a
> > > > > > little
> > > > > > > > > while after initial organization, I think the members will
> > want
> > > > to
> > > > > > put
> > > > > > > a
> > > > > > > > > bit of effort into hitting some of the goals I mentioned.
> > > > > > > > >
> > > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > > dsmiley@apache.org>
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > This is a thoughtful organization attempt and needed, I
> > > think.
> > > > > > > Thanks
> > > > > > > > > Gus!
> > > > > > > > > >
> > > > > > > > > > I want to see if I could get a security
> specialist/engineer
> > > > > where I
> > > > > > > work
> > > > > > > > > to
> > > > > > > > > > help us with this.  I'm tempted to say I'm joining this
> > thing
> > > > but
> > > > > > I'm
> > > > > > > > > weary
> > > > > > > > > > of dedicating time per week.
> > > > > > > > > >
> > > > > > > > > > ~ David Smiley
> > > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> > gus.heck@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > *Rationale*
> > > > > > > > > > >
> > > > > > > > > > > Over the course of the last decade the way software
> > > security
> > > > is
> > > > > > > viewed
> > > > > > > > > > has
> > > > > > > > > > > changed. Solr has changed significantly over this time
> > too
> > > > and
> > > > > we
> > > > > > > have
> > > > > > > > > > > gained some important security features and fixed a
> > variety
> > > > of
> > > > > > > > > > > vulnerabilities. However, I think as a project we have
> > not
> > > > > really
> > > > > > > > > > developed
> > > > > > > > > > > a clear vision of what our security goals and use cases
> > > are.
> > > > I
> > > > > > have
> > > > > > > > > > > witnessed a fair bit of variability in the responses to
> > > > > security
> > > > > > > > > related
> > > > > > > > > > > queries, and I think much of the variability comes from
> > > > > > conflation
> > > > > > > > > among
> > > > > > > > > > > "good practical advice", "somewhat dated advice" and
> > > "varying
> > > > > > > notions
> > > > > > > > > of
> > > > > > > > > > > supported use cases". We also regularly receive reports
> > to
> > > > the
> > > > > > > > > > > security@solr.apache.org address that involve
> > > investigations
> > > > > > into
> > > > > > > > > > systems
> > > > > > > > > > > that are not properly secured to begin with or
> configured
> > > to
> > > > > > > explicitly
> > > > > > > > > > > allow the dangerous behavior and it's a shame to see
> > > security
> > > > > > > > > researchers
> > > > > > > > > > > waste their time on that. Finally, the PMC and set of
> > > people
> > > > > > > subscribed
> > > > > > > > > > to
> > > > > > > > > > > security@solr.apache.org is a large enough group that
> > > > incoming
> > > > > > > mails
> > > > > > > > > > often
> > > > > > > > > > > seem to languish in a classic example of nobody having
> > > actual
> > > > > > > specific
> > > > > > > > > > > responsibility for responding.
> > > > > > > > > > >
> > > > > > > > > > > *Proposal*
> > > > > > > > > > > The Solr PMC should appoint from among its members
> > either 3
> > > > to
> > > > > 5
> > > > > > > > > > > individuals to serve as a "security working group"
> > > Membership
> > > > > in
> > > > > > > the
> > > > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > > > security@solr.apache.org,
> > > > > > > > > > > and a 30 minute conference call once or twice a month.
> > This
> > > > > > working
> > > > > > > > > group
> > > > > > > > > > > would have the following goals.
> > > > > > > > > > >
> > > > > > > > > > >    1. Establish a relationship with someone who's core
> > job
> > > > > > > function is
> > > > > > > > > > >    computer security, rather than providing search (I'm
> > > > hoping
> > > > > > the
> > > > > > > ASF
> > > > > > > > > > has
> > > > > > > > > > >    some people who secure their systems that could be a
> > > > > > resource).
> > > > > > > This
> > > > > > > > > > > person
> > > > > > > > > > >    should be willing to offer a systems security
> > > perspective
> > > > on
> > > > > > our
> > > > > > > > > goals
> > > > > > > > > > > and
> > > > > > > > > > >    the security functionality we provide.
> > > > > > > > > > >    2. Develop a clear statement of the security use
> cases
> > > we
> > > > > > would
> > > > > > > like
> > > > > > > > > > to
> > > > > > > > > > >    support, and exposition of some scenarios that are
> > > clearly
> > > > > out
> > > > > > > of
> > > > > > > > > > scope.
> > > > > > > > > > >    This results in a proposal to be discussed on the
> dev
> > > list
> > > > > and
> > > > > > > users
> > > > > > > > > > > list
> > > > > > > > > > >    and eventually voted on.
> > > > > > > > > > >    3. Identification of use cases we would like to
> > support
> > > > that
> > > > > > > are not
> > > > > > > > > > yet
> > > > > > > > > > >    supported, and publicize them to encourage these
> > > > > > contributions.
> > > > > > > > > > >    4. Review of documentation to ensure consistency
> with
> > > our
> > > > > > > current
> > > > > > > > > > state
> > > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > > >    5. Creation of a "security report checklist" that
> > > security
> > > > > > > > > researchers
> > > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > > >    6. Form letters for consistent response to reports
> > that
> > > > > > haven't
> > > > > > > > > passed
> > > > > > > > > > >    the checklist.
> > > > > > > > > > >    7. Provide consistent and prompt responses to
> possible
> > > > > > > > > > >    vulnerabilities reported to security@apache.org.
> > Those
> > > > > > > subscribed
> > > > > > > > > to
> > > > > > > > > > >    security@solr.apache.org who are not in the working
> > > group
> > > > > > > should
> > > > > > > > > > allow
> > > > > > > > > > >    the working group time to respond before responding
> > > > > > themselves.
> > > > > > > > > > >    8. When asked, offer opinions on  proposed new
> > security
> > > > > > features
> > > > > > > > > > >    regarding consistency with the goals (working group
> to
> > > > > > discuss,
> > > > > > > > > return
> > > > > > > > > > > with
> > > > > > > > > > >    an opinion, always publically and just as a voice in
> > the
> > > > > > > > > conversation,
> > > > > > > > > > > not
> > > > > > > > > > >    as any sort of veto/control, decisions are still up
> to
> > > the
> > > > > > list
> > > > > > > of
> > > > > > > > > > > course).
> > > > > > > > > > >
> > > > > > > > > > > NON-GOAL: The group is not responsible for fixing
> > security
> > > > bugs
> > > > > > or
> > > > > > > > > adding
> > > > > > > > > > > security features. (nothing stopping them of course,
> just
> > > not
> > > > > the
> > > > > > > point
> > > > > > > > > > of
> > > > > > > > > > > the group, which is a goal setting and consistency
> > oriented
> > > > > > group)
> > > > > > > > > > >
> > > > > > > > > > > *Volunteer*
> > > > > > > > > > >
> > > > > > > > > > > And to lower the barrier to things started, I volunteer
> > to
> > > > > > > participate
> > > > > > > > > in
> > > > > > > > > > > this WG for at least a year, and spend up to 2h/week on
> > > it. I
> > > > > > don't
> > > > > > > > > think
> > > > > > > > > > > any members should be expected to dedicate more than
> that
> > > to
> > > > > it,
> > > > > > > and
> > > > > > > > > > > probably many weeks the time required should be less.
> > > > > > > > > > >
> > > > > > > > > > > *Feedback*
> > > > > > > > > > >
> > > > > > > > > > > Of course if you think this idea can be tweaked or
> > > improved,
> > > > > > speak
> > > > > > > up!
> > > > > > > > > > The
> > > > > > > > > > > whole reason this is mailed to the dev list is to get
> > broad
> > > > > > > feedback so
> > > > > > > > > > > that we can implement the best improvements possible.
> > > > > > > > > > >
> > > > > > > > > > > -Gus
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > > http://www.the111shift.com (play)
> > > > > > > > >
> > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > http://www.needhamsoftware.com (work)
> > > > > > http://www.the111shift.com (play)
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > http://www.needhamsoftware.com (work)
> > > > http://www.the111shift.com (play)
> > > >
> > >
> >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>

Re: [Proposal] Security Working Group

["Arrieta, Alejandro" <aa...@perrinsoftware.com>]

Hi Gus,

thx 4 clarification.
Well I need to work on those 2 requirements then :-)

Thanks
Alejandro Arrieta


On Tue, May 2, 2023 at 3:40 PM Gus Heck <gu...@gmail.com> wrote:

> Unfortunately, since part of the duties will be responding to the queries
> sent to security@solr.apache.org, one must be both a committer and a PMC
> member. However, I expect that this group will make suggestions about
> anything unrelated to un-announced security issues to the wider list for a
> typical discussion/proposal/vote cycle.
>
> On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
> aarrieta@perrinsoftware.com> wrote:
>
> >  Hello Team,
> >
> > Do you need to be a committer to join the group?
> >
> > Kind Regards,
> > Alejandro Arrieta
> >
> > On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com> wrote:
> >
> > > Cool that means so far we have:
> > >
> > >    1. Me (Gus Heck)
> > >    2. Jason Gerlowski
> > >    3. Mike Drob
> > >    4. (maybe?) David Smiley
> > >
> > >
> > > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:
> > >
> > > > Howdy folks. I'd be happy to step into this working group.
> > > >
> > > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com> wrote:
> > > >
> > > > > Awesome, glad to have you Jason, I in the end feel the same way
> about
> > > my
> > > > > spot. Mostly I qualify as "concerned citizen", possibly with "who
> > > thought
> > > > > about it some and has ideas" added. If we get more than 5
> volunteers
> > we
> > > > can
> > > > > start comparing credentials.
> > > > >
> > > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> > gerlowskija@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi Gus,
> > > > > >
> > > > > > I think this is a great idea.
> > > > > >
> > > > > > I don't have much security background that'd make me a
> particularly
> > > > > > good fit, but absent someone with that background stepping up,
> I'm
> > > > > > willing to volunteer for one of the spots.  (I'd be more than
> happy
> > > to
> > > > > > bow out if better qualified folks come along.)
> > > > > >
> > > > > > Best,
> > > > > >
> > > > > > Jason
> > > > > >
> > > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <dsmiley@apache.org
> >
> > > > wrote:
> > > > > > >
> > > > > > > Pretty sleepy thread so far; apparently nobody else is
> interested
> > > in
> > > > > > > talking about Solr security -- LOL ;-)
> > > > > > >
> > > > > > > ~ David Smiley
> > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > Thanks David. It would be great to have you if you can find
> > time
> > > > for
> > > > > > it. As
> > > > > > > > far as time commitment goes, I think it should become minimal
> > > > after a
> > > > > > while
> > > > > > > > unless we have a flood of security reports to respond to.
> For a
> > > > > little
> > > > > > > > while after initial organization, I think the members will
> want
> > > to
> > > > > put
> > > > > > a
> > > > > > > > bit of effort into hitting some of the goals I mentioned.
> > > > > > > >
> > > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > > dsmiley@apache.org>
> > > > > > wrote:
> > > > > > > >
> > > > > > > > > This is a thoughtful organization attempt and needed, I
> > think.
> > > > > > Thanks
> > > > > > > > Gus!
> > > > > > > > >
> > > > > > > > > I want to see if I could get a security specialist/engineer
> > > > where I
> > > > > > work
> > > > > > > > to
> > > > > > > > > help us with this.  I'm tempted to say I'm joining this
> thing
> > > but
> > > > > I'm
> > > > > > > > weary
> > > > > > > > > of dedicating time per week.
> > > > > > > > >
> > > > > > > > > ~ David Smiley
> > > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <
> gus.heck@gmail.com
> > >
> > > > > wrote:
> > > > > > > > >
> > > > > > > > > > *Rationale*
> > > > > > > > > >
> > > > > > > > > > Over the course of the last decade the way software
> > security
> > > is
> > > > > > viewed
> > > > > > > > > has
> > > > > > > > > > changed. Solr has changed significantly over this time
> too
> > > and
> > > > we
> > > > > > have
> > > > > > > > > > gained some important security features and fixed a
> variety
> > > of
> > > > > > > > > > vulnerabilities. However, I think as a project we have
> not
> > > > really
> > > > > > > > > developed
> > > > > > > > > > a clear vision of what our security goals and use cases
> > are.
> > > I
> > > > > have
> > > > > > > > > > witnessed a fair bit of variability in the responses to
> > > > security
> > > > > > > > related
> > > > > > > > > > queries, and I think much of the variability comes from
> > > > > conflation
> > > > > > > > among
> > > > > > > > > > "good practical advice", "somewhat dated advice" and
> > "varying
> > > > > > notions
> > > > > > > > of
> > > > > > > > > > supported use cases". We also regularly receive reports
> to
> > > the
> > > > > > > > > > security@solr.apache.org address that involve
> > investigations
> > > > > into
> > > > > > > > > systems
> > > > > > > > > > that are not properly secured to begin with or configured
> > to
> > > > > > explicitly
> > > > > > > > > > allow the dangerous behavior and it's a shame to see
> > security
> > > > > > > > researchers
> > > > > > > > > > waste their time on that. Finally, the PMC and set of
> > people
> > > > > > subscribed
> > > > > > > > > to
> > > > > > > > > > security@solr.apache.org is a large enough group that
> > > incoming
> > > > > > mails
> > > > > > > > > often
> > > > > > > > > > seem to languish in a classic example of nobody having
> > actual
> > > > > > specific
> > > > > > > > > > responsibility for responding.
> > > > > > > > > >
> > > > > > > > > > *Proposal*
> > > > > > > > > > The Solr PMC should appoint from among its members
> either 3
> > > to
> > > > 5
> > > > > > > > > > individuals to serve as a "security working group"
> > Membership
> > > > in
> > > > > > the
> > > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > > security@solr.apache.org,
> > > > > > > > > > and a 30 minute conference call once or twice a month.
> This
> > > > > working
> > > > > > > > group
> > > > > > > > > > would have the following goals.
> > > > > > > > > >
> > > > > > > > > >    1. Establish a relationship with someone who's core
> job
> > > > > > function is
> > > > > > > > > >    computer security, rather than providing search (I'm
> > > hoping
> > > > > the
> > > > > > ASF
> > > > > > > > > has
> > > > > > > > > >    some people who secure their systems that could be a
> > > > > resource).
> > > > > > This
> > > > > > > > > > person
> > > > > > > > > >    should be willing to offer a systems security
> > perspective
> > > on
> > > > > our
> > > > > > > > goals
> > > > > > > > > > and
> > > > > > > > > >    the security functionality we provide.
> > > > > > > > > >    2. Develop a clear statement of the security use cases
> > we
> > > > > would
> > > > > > like
> > > > > > > > > to
> > > > > > > > > >    support, and exposition of some scenarios that are
> > clearly
> > > > out
> > > > > > of
> > > > > > > > > scope.
> > > > > > > > > >    This results in a proposal to be discussed on the dev
> > list
> > > > and
> > > > > > users
> > > > > > > > > > list
> > > > > > > > > >    and eventually voted on.
> > > > > > > > > >    3. Identification of use cases we would like to
> support
> > > that
> > > > > > are not
> > > > > > > > > yet
> > > > > > > > > >    supported, and publicize them to encourage these
> > > > > contributions.
> > > > > > > > > >    4. Review of documentation to ensure consistency with
> > our
> > > > > > current
> > > > > > > > > state
> > > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > > >    5. Creation of a "security report checklist" that
> > security
> > > > > > > > researchers
> > > > > > > > > >    can self apply before they submit reports.
> > > > > > > > > >    6. Form letters for consistent response to reports
> that
> > > > > haven't
> > > > > > > > passed
> > > > > > > > > >    the checklist.
> > > > > > > > > >    7. Provide consistent and prompt responses to possible
> > > > > > > > > >    vulnerabilities reported to security@apache.org.
> Those
> > > > > > subscribed
> > > > > > > > to
> > > > > > > > > >    security@solr.apache.org who are not in the working
> > group
> > > > > > should
> > > > > > > > > allow
> > > > > > > > > >    the working group time to respond before responding
> > > > > themselves.
> > > > > > > > > >    8. When asked, offer opinions on  proposed new
> security
> > > > > features
> > > > > > > > > >    regarding consistency with the goals (working group to
> > > > > discuss,
> > > > > > > > return
> > > > > > > > > > with
> > > > > > > > > >    an opinion, always publically and just as a voice in
> the
> > > > > > > > conversation,
> > > > > > > > > > not
> > > > > > > > > >    as any sort of veto/control, decisions are still up to
> > the
> > > > > list
> > > > > > of
> > > > > > > > > > course).
> > > > > > > > > >
> > > > > > > > > > NON-GOAL: The group is not responsible for fixing
> security
> > > bugs
> > > > > or
> > > > > > > > adding
> > > > > > > > > > security features. (nothing stopping them of course, just
> > not
> > > > the
> > > > > > point
> > > > > > > > > of
> > > > > > > > > > the group, which is a goal setting and consistency
> oriented
> > > > > group)
> > > > > > > > > >
> > > > > > > > > > *Volunteer*
> > > > > > > > > >
> > > > > > > > > > And to lower the barrier to things started, I volunteer
> to
> > > > > > participate
> > > > > > > > in
> > > > > > > > > > this WG for at least a year, and spend up to 2h/week on
> > it. I
> > > > > don't
> > > > > > > > think
> > > > > > > > > > any members should be expected to dedicate more than that
> > to
> > > > it,
> > > > > > and
> > > > > > > > > > probably many weeks the time required should be less.
> > > > > > > > > >
> > > > > > > > > > *Feedback*
> > > > > > > > > >
> > > > > > > > > > Of course if you think this idea can be tweaked or
> > improved,
> > > > > speak
> > > > > > up!
> > > > > > > > > The
> > > > > > > > > > whole reason this is mailed to the dev list is to get
> broad
> > > > > > feedback so
> > > > > > > > > > that we can implement the best improvements possible.
> > > > > > > > > >
> > > > > > > > > > -Gus
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > > http://www.the111shift.com (play)
> > > > > > > >
> > > > > >
> > > > > >
> > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > http://www.needhamsoftware.com (work)
> > > > > http://www.the111shift.com (play)
> > > > >
> > > >
> > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

Unfortunately, since part of the duties will be responding to the queries
sent to security@solr.apache.org, one must be both a committer and a PMC
member. However, I expect that this group will make suggestions about
anything unrelated to un-announced security issues to the wider list for a
typical discussion/proposal/vote cycle.

On Tue, May 2, 2023 at 3:28 PM Arrieta, Alejandro <
aarrieta@perrinsoftware.com> wrote:

>  Hello Team,
>
> Do you need to be a committer to join the group?
>
> Kind Regards,
> Alejandro Arrieta
>
> On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com> wrote:
>
> > Cool that means so far we have:
> >
> >    1. Me (Gus Heck)
> >    2. Jason Gerlowski
> >    3. Mike Drob
> >    4. (maybe?) David Smiley
> >
> >
> > On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:
> >
> > > Howdy folks. I'd be happy to step into this working group.
> > >
> > > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com> wrote:
> > >
> > > > Awesome, glad to have you Jason, I in the end feel the same way about
> > my
> > > > spot. Mostly I qualify as "concerned citizen", possibly with "who
> > thought
> > > > about it some and has ideas" added. If we get more than 5 volunteers
> we
> > > can
> > > > start comparing credentials.
> > > >
> > > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <
> gerlowskija@gmail.com>
> > > > wrote:
> > > >
> > > > > Hi Gus,
> > > > >
> > > > > I think this is a great idea.
> > > > >
> > > > > I don't have much security background that'd make me a particularly
> > > > > good fit, but absent someone with that background stepping up, I'm
> > > > > willing to volunteer for one of the spots.  (I'd be more than happy
> > to
> > > > > bow out if better qualified folks come along.)
> > > > >
> > > > > Best,
> > > > >
> > > > > Jason
> > > > >
> > > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org>
> > > wrote:
> > > > > >
> > > > > > Pretty sleepy thread so far; apparently nobody else is interested
> > in
> > > > > > talking about Solr security -- LOL ;-)
> > > > > >
> > > > > > ~ David Smiley
> > > > > > Apache Lucene/Solr Search Developer
> > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > >
> > > > > >
> > > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > Thanks David. It would be great to have you if you can find
> time
> > > for
> > > > > it. As
> > > > > > > far as time commitment goes, I think it should become minimal
> > > after a
> > > > > while
> > > > > > > unless we have a flood of security reports to respond to. For a
> > > > little
> > > > > > > while after initial organization, I think the members will want
> > to
> > > > put
> > > > > a
> > > > > > > bit of effort into hitting some of the goals I mentioned.
> > > > > > >
> > > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> > dsmiley@apache.org>
> > > > > wrote:
> > > > > > >
> > > > > > > > This is a thoughtful organization attempt and needed, I
> think.
> > > > > Thanks
> > > > > > > Gus!
> > > > > > > >
> > > > > > > > I want to see if I could get a security specialist/engineer
> > > where I
> > > > > work
> > > > > > > to
> > > > > > > > help us with this.  I'm tempted to say I'm joining this thing
> > but
> > > > I'm
> > > > > > > weary
> > > > > > > > of dedicating time per week.
> > > > > > > >
> > > > > > > > ~ David Smiley
> > > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > > >
> > > > > > > >
> > > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gus.heck@gmail.com
> >
> > > > wrote:
> > > > > > > >
> > > > > > > > > *Rationale*
> > > > > > > > >
> > > > > > > > > Over the course of the last decade the way software
> security
> > is
> > > > > viewed
> > > > > > > > has
> > > > > > > > > changed. Solr has changed significantly over this time too
> > and
> > > we
> > > > > have
> > > > > > > > > gained some important security features and fixed a variety
> > of
> > > > > > > > > vulnerabilities. However, I think as a project we have not
> > > really
> > > > > > > > developed
> > > > > > > > > a clear vision of what our security goals and use cases
> are.
> > I
> > > > have
> > > > > > > > > witnessed a fair bit of variability in the responses to
> > > security
> > > > > > > related
> > > > > > > > > queries, and I think much of the variability comes from
> > > > conflation
> > > > > > > among
> > > > > > > > > "good practical advice", "somewhat dated advice" and
> "varying
> > > > > notions
> > > > > > > of
> > > > > > > > > supported use cases". We also regularly receive reports to
> > the
> > > > > > > > > security@solr.apache.org address that involve
> investigations
> > > > into
> > > > > > > > systems
> > > > > > > > > that are not properly secured to begin with or configured
> to
> > > > > explicitly
> > > > > > > > > allow the dangerous behavior and it's a shame to see
> security
> > > > > > > researchers
> > > > > > > > > waste their time on that. Finally, the PMC and set of
> people
> > > > > subscribed
> > > > > > > > to
> > > > > > > > > security@solr.apache.org is a large enough group that
> > incoming
> > > > > mails
> > > > > > > > often
> > > > > > > > > seem to languish in a classic example of nobody having
> actual
> > > > > specific
> > > > > > > > > responsibility for responding.
> > > > > > > > >
> > > > > > > > > *Proposal*
> > > > > > > > > The Solr PMC should appoint from among its members either 3
> > to
> > > 5
> > > > > > > > > individuals to serve as a "security working group"
> Membership
> > > in
> > > > > the
> > > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > > security@solr.apache.org,
> > > > > > > > > and a 30 minute conference call once or twice a month. This
> > > > working
> > > > > > > group
> > > > > > > > > would have the following goals.
> > > > > > > > >
> > > > > > > > >    1. Establish a relationship with someone who's core job
> > > > > function is
> > > > > > > > >    computer security, rather than providing search (I'm
> > hoping
> > > > the
> > > > > ASF
> > > > > > > > has
> > > > > > > > >    some people who secure their systems that could be a
> > > > resource).
> > > > > This
> > > > > > > > > person
> > > > > > > > >    should be willing to offer a systems security
> perspective
> > on
> > > > our
> > > > > > > goals
> > > > > > > > > and
> > > > > > > > >    the security functionality we provide.
> > > > > > > > >    2. Develop a clear statement of the security use cases
> we
> > > > would
> > > > > like
> > > > > > > > to
> > > > > > > > >    support, and exposition of some scenarios that are
> clearly
> > > out
> > > > > of
> > > > > > > > scope.
> > > > > > > > >    This results in a proposal to be discussed on the dev
> list
> > > and
> > > > > users
> > > > > > > > > list
> > > > > > > > >    and eventually voted on.
> > > > > > > > >    3. Identification of use cases we would like to support
> > that
> > > > > are not
> > > > > > > > yet
> > > > > > > > >    supported, and publicize them to encourage these
> > > > contributions.
> > > > > > > > >    4. Review of documentation to ensure consistency with
> our
> > > > > current
> > > > > > > > state
> > > > > > > > >    (security only, perhaps annually?).
> > > > > > > > >    5. Creation of a "security report checklist" that
> security
> > > > > > > researchers
> > > > > > > > >    can self apply before they submit reports.
> > > > > > > > >    6. Form letters for consistent response to reports that
> > > > haven't
> > > > > > > passed
> > > > > > > > >    the checklist.
> > > > > > > > >    7. Provide consistent and prompt responses to possible
> > > > > > > > >    vulnerabilities reported to security@apache.org. Those
> > > > > subscribed
> > > > > > > to
> > > > > > > > >    security@solr.apache.org who are not in the working
> group
> > > > > should
> > > > > > > > allow
> > > > > > > > >    the working group time to respond before responding
> > > > themselves.
> > > > > > > > >    8. When asked, offer opinions on  proposed new security
> > > > features
> > > > > > > > >    regarding consistency with the goals (working group to
> > > > discuss,
> > > > > > > return
> > > > > > > > > with
> > > > > > > > >    an opinion, always publically and just as a voice in the
> > > > > > > conversation,
> > > > > > > > > not
> > > > > > > > >    as any sort of veto/control, decisions are still up to
> the
> > > > list
> > > > > of
> > > > > > > > > course).
> > > > > > > > >
> > > > > > > > > NON-GOAL: The group is not responsible for fixing security
> > bugs
> > > > or
> > > > > > > adding
> > > > > > > > > security features. (nothing stopping them of course, just
> not
> > > the
> > > > > point
> > > > > > > > of
> > > > > > > > > the group, which is a goal setting and consistency oriented
> > > > group)
> > > > > > > > >
> > > > > > > > > *Volunteer*
> > > > > > > > >
> > > > > > > > > And to lower the barrier to things started, I volunteer to
> > > > > participate
> > > > > > > in
> > > > > > > > > this WG for at least a year, and spend up to 2h/week on
> it. I
> > > > don't
> > > > > > > think
> > > > > > > > > any members should be expected to dedicate more than that
> to
> > > it,
> > > > > and
> > > > > > > > > probably many weeks the time required should be less.
> > > > > > > > >
> > > > > > > > > *Feedback*
> > > > > > > > >
> > > > > > > > > Of course if you think this idea can be tweaked or
> improved,
> > > > speak
> > > > > up!
> > > > > > > > The
> > > > > > > > > whole reason this is mailed to the dev list is to get broad
> > > > > feedback so
> > > > > > > > > that we can implement the best improvements possible.
> > > > > > > > >
> > > > > > > > > -Gus
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > http://www.needhamsoftware.com (work)
> > > > > > > http://www.the111shift.com (play)
> > > > > > >
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > > >
> > > > >
> > > >
> > > > --
> > > > http://www.needhamsoftware.com (work)
> > > > http://www.the111shift.com (play)
> > > >
> > >
> >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

["Arrieta, Alejandro" <aa...@perrinsoftware.com>]

 Hello Team,

Do you need to be a committer to join the group?

Kind Regards,
Alejandro Arrieta

On Tue, May 2, 2023 at 3:23 PM Gus Heck <gu...@gmail.com> wrote:

> Cool that means so far we have:
>
>    1. Me (Gus Heck)
>    2. Jason Gerlowski
>    3. Mike Drob
>    4. (maybe?) David Smiley
>
>
> On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:
>
> > Howdy folks. I'd be happy to step into this working group.
> >
> > On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com> wrote:
> >
> > > Awesome, glad to have you Jason, I in the end feel the same way about
> my
> > > spot. Mostly I qualify as "concerned citizen", possibly with "who
> thought
> > > about it some and has ideas" added. If we get more than 5 volunteers we
> > can
> > > start comparing credentials.
> > >
> > > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <ge...@gmail.com>
> > > wrote:
> > >
> > > > Hi Gus,
> > > >
> > > > I think this is a great idea.
> > > >
> > > > I don't have much security background that'd make me a particularly
> > > > good fit, but absent someone with that background stepping up, I'm
> > > > willing to volunteer for one of the spots.  (I'd be more than happy
> to
> > > > bow out if better qualified folks come along.)
> > > >
> > > > Best,
> > > >
> > > > Jason
> > > >
> > > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org>
> > wrote:
> > > > >
> > > > > Pretty sleepy thread so far; apparently nobody else is interested
> in
> > > > > talking about Solr security -- LOL ;-)
> > > > >
> > > > > ~ David Smiley
> > > > > Apache Lucene/Solr Search Developer
> > > > > http://www.linkedin.com/in/davidwsmiley
> > > > >
> > > > >
> > > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com>
> wrote:
> > > > >
> > > > > > Thanks David. It would be great to have you if you can find time
> > for
> > > > it. As
> > > > > > far as time commitment goes, I think it should become minimal
> > after a
> > > > while
> > > > > > unless we have a flood of security reports to respond to. For a
> > > little
> > > > > > while after initial organization, I think the members will want
> to
> > > put
> > > > a
> > > > > > bit of effort into hitting some of the goals I mentioned.
> > > > > >
> > > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <
> dsmiley@apache.org>
> > > > wrote:
> > > > > >
> > > > > > > This is a thoughtful organization attempt and needed, I think.
> > > > Thanks
> > > > > > Gus!
> > > > > > >
> > > > > > > I want to see if I could get a security specialist/engineer
> > where I
> > > > work
> > > > > > to
> > > > > > > help us with this.  I'm tempted to say I'm joining this thing
> but
> > > I'm
> > > > > > weary
> > > > > > > of dedicating time per week.
> > > > > > >
> > > > > > > ~ David Smiley
> > > > > > > Apache Lucene/Solr Search Developer
> > > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > > >
> > > > > > >
> > > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > *Rationale*
> > > > > > > >
> > > > > > > > Over the course of the last decade the way software security
> is
> > > > viewed
> > > > > > > has
> > > > > > > > changed. Solr has changed significantly over this time too
> and
> > we
> > > > have
> > > > > > > > gained some important security features and fixed a variety
> of
> > > > > > > > vulnerabilities. However, I think as a project we have not
> > really
> > > > > > > developed
> > > > > > > > a clear vision of what our security goals and use cases are.
> I
> > > have
> > > > > > > > witnessed a fair bit of variability in the responses to
> > security
> > > > > > related
> > > > > > > > queries, and I think much of the variability comes from
> > > conflation
> > > > > > among
> > > > > > > > "good practical advice", "somewhat dated advice" and "varying
> > > > notions
> > > > > > of
> > > > > > > > supported use cases". We also regularly receive reports to
> the
> > > > > > > > security@solr.apache.org address that involve investigations
> > > into
> > > > > > > systems
> > > > > > > > that are not properly secured to begin with or configured to
> > > > explicitly
> > > > > > > > allow the dangerous behavior and it's a shame to see security
> > > > > > researchers
> > > > > > > > waste their time on that. Finally, the PMC and set of people
> > > > subscribed
> > > > > > > to
> > > > > > > > security@solr.apache.org is a large enough group that
> incoming
> > > > mails
> > > > > > > often
> > > > > > > > seem to languish in a classic example of nobody having actual
> > > > specific
> > > > > > > > responsibility for responding.
> > > > > > > >
> > > > > > > > *Proposal*
> > > > > > > > The Solr PMC should appoint from among its members either 3
> to
> > 5
> > > > > > > > individuals to serve as a "security working group" Membership
> > in
> > > > the
> > > > > > > > "Security Working Group" requires subscribing to
> > > > > > > security@solr.apache.org,
> > > > > > > > and a 30 minute conference call once or twice a month. This
> > > working
> > > > > > group
> > > > > > > > would have the following goals.
> > > > > > > >
> > > > > > > >    1. Establish a relationship with someone who's core job
> > > > function is
> > > > > > > >    computer security, rather than providing search (I'm
> hoping
> > > the
> > > > ASF
> > > > > > > has
> > > > > > > >    some people who secure their systems that could be a
> > > resource).
> > > > This
> > > > > > > > person
> > > > > > > >    should be willing to offer a systems security perspective
> on
> > > our
> > > > > > goals
> > > > > > > > and
> > > > > > > >    the security functionality we provide.
> > > > > > > >    2. Develop a clear statement of the security use cases we
> > > would
> > > > like
> > > > > > > to
> > > > > > > >    support, and exposition of some scenarios that are clearly
> > out
> > > > of
> > > > > > > scope.
> > > > > > > >    This results in a proposal to be discussed on the dev list
> > and
> > > > users
> > > > > > > > list
> > > > > > > >    and eventually voted on.
> > > > > > > >    3. Identification of use cases we would like to support
> that
> > > > are not
> > > > > > > yet
> > > > > > > >    supported, and publicize them to encourage these
> > > contributions.
> > > > > > > >    4. Review of documentation to ensure consistency with our
> > > > current
> > > > > > > state
> > > > > > > >    (security only, perhaps annually?).
> > > > > > > >    5. Creation of a "security report checklist" that security
> > > > > > researchers
> > > > > > > >    can self apply before they submit reports.
> > > > > > > >    6. Form letters for consistent response to reports that
> > > haven't
> > > > > > passed
> > > > > > > >    the checklist.
> > > > > > > >    7. Provide consistent and prompt responses to possible
> > > > > > > >    vulnerabilities reported to security@apache.org. Those
> > > > subscribed
> > > > > > to
> > > > > > > >    security@solr.apache.org who are not in the working group
> > > > should
> > > > > > > allow
> > > > > > > >    the working group time to respond before responding
> > > themselves.
> > > > > > > >    8. When asked, offer opinions on  proposed new security
> > > features
> > > > > > > >    regarding consistency with the goals (working group to
> > > discuss,
> > > > > > return
> > > > > > > > with
> > > > > > > >    an opinion, always publically and just as a voice in the
> > > > > > conversation,
> > > > > > > > not
> > > > > > > >    as any sort of veto/control, decisions are still up to the
> > > list
> > > > of
> > > > > > > > course).
> > > > > > > >
> > > > > > > > NON-GOAL: The group is not responsible for fixing security
> bugs
> > > or
> > > > > > adding
> > > > > > > > security features. (nothing stopping them of course, just not
> > the
> > > > point
> > > > > > > of
> > > > > > > > the group, which is a goal setting and consistency oriented
> > > group)
> > > > > > > >
> > > > > > > > *Volunteer*
> > > > > > > >
> > > > > > > > And to lower the barrier to things started, I volunteer to
> > > > participate
> > > > > > in
> > > > > > > > this WG for at least a year, and spend up to 2h/week on it. I
> > > don't
> > > > > > think
> > > > > > > > any members should be expected to dedicate more than that to
> > it,
> > > > and
> > > > > > > > probably many weeks the time required should be less.
> > > > > > > >
> > > > > > > > *Feedback*
> > > > > > > >
> > > > > > > > Of course if you think this idea can be tweaked or improved,
> > > speak
> > > > up!
> > > > > > > The
> > > > > > > > whole reason this is mailed to the dev list is to get broad
> > > > feedback so
> > > > > > > > that we can implement the best improvements possible.
> > > > > > > >
> > > > > > > > -Gus
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > http://www.needhamsoftware.com (work)
> > > > > > http://www.the111shift.com (play)
> > > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > > For additional commands, e-mail: dev-help@solr.apache.org
> > > >
> > > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

Cool that means so far we have:

   1. Me (Gus Heck)
   2. Jason Gerlowski
   3. Mike Drob
   4. (maybe?) David Smiley


On Tue, May 2, 2023 at 3:02 PM Mike Drob <md...@mdrob.com> wrote:

> Howdy folks. I'd be happy to step into this working group.
>
> On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com> wrote:
>
> > Awesome, glad to have you Jason, I in the end feel the same way about my
> > spot. Mostly I qualify as "concerned citizen", possibly with "who thought
> > about it some and has ideas" added. If we get more than 5 volunteers we
> can
> > start comparing credentials.
> >
> > On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <ge...@gmail.com>
> > wrote:
> >
> > > Hi Gus,
> > >
> > > I think this is a great idea.
> > >
> > > I don't have much security background that'd make me a particularly
> > > good fit, but absent someone with that background stepping up, I'm
> > > willing to volunteer for one of the spots.  (I'd be more than happy to
> > > bow out if better qualified folks come along.)
> > >
> > > Best,
> > >
> > > Jason
> > >
> > > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org>
> wrote:
> > > >
> > > > Pretty sleepy thread so far; apparently nobody else is interested in
> > > > talking about Solr security -- LOL ;-)
> > > >
> > > > ~ David Smiley
> > > > Apache Lucene/Solr Search Developer
> > > > http://www.linkedin.com/in/davidwsmiley
> > > >
> > > >
> > > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com> wrote:
> > > >
> > > > > Thanks David. It would be great to have you if you can find time
> for
> > > it. As
> > > > > far as time commitment goes, I think it should become minimal
> after a
> > > while
> > > > > unless we have a flood of security reports to respond to. For a
> > little
> > > > > while after initial organization, I think the members will want to
> > put
> > > a
> > > > > bit of effort into hitting some of the goals I mentioned.
> > > > >
> > > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org>
> > > wrote:
> > > > >
> > > > > > This is a thoughtful organization attempt and needed, I think.
> > > Thanks
> > > > > Gus!
> > > > > >
> > > > > > I want to see if I could get a security specialist/engineer
> where I
> > > work
> > > > > to
> > > > > > help us with this.  I'm tempted to say I'm joining this thing but
> > I'm
> > > > > weary
> > > > > > of dedicating time per week.
> > > > > >
> > > > > > ~ David Smiley
> > > > > > Apache Lucene/Solr Search Developer
> > > > > > http://www.linkedin.com/in/davidwsmiley
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > *Rationale*
> > > > > > >
> > > > > > > Over the course of the last decade the way software security is
> > > viewed
> > > > > > has
> > > > > > > changed. Solr has changed significantly over this time too and
> we
> > > have
> > > > > > > gained some important security features and fixed a variety of
> > > > > > > vulnerabilities. However, I think as a project we have not
> really
> > > > > > developed
> > > > > > > a clear vision of what our security goals and use cases are. I
> > have
> > > > > > > witnessed a fair bit of variability in the responses to
> security
> > > > > related
> > > > > > > queries, and I think much of the variability comes from
> > conflation
> > > > > among
> > > > > > > "good practical advice", "somewhat dated advice" and "varying
> > > notions
> > > > > of
> > > > > > > supported use cases". We also regularly receive reports to the
> > > > > > > security@solr.apache.org address that involve investigations
> > into
> > > > > > systems
> > > > > > > that are not properly secured to begin with or configured to
> > > explicitly
> > > > > > > allow the dangerous behavior and it's a shame to see security
> > > > > researchers
> > > > > > > waste their time on that. Finally, the PMC and set of people
> > > subscribed
> > > > > > to
> > > > > > > security@solr.apache.org is a large enough group that incoming
> > > mails
> > > > > > often
> > > > > > > seem to languish in a classic example of nobody having actual
> > > specific
> > > > > > > responsibility for responding.
> > > > > > >
> > > > > > > *Proposal*
> > > > > > > The Solr PMC should appoint from among its members either 3 to
> 5
> > > > > > > individuals to serve as a "security working group" Membership
> in
> > > the
> > > > > > > "Security Working Group" requires subscribing to
> > > > > > security@solr.apache.org,
> > > > > > > and a 30 minute conference call once or twice a month. This
> > working
> > > > > group
> > > > > > > would have the following goals.
> > > > > > >
> > > > > > >    1. Establish a relationship with someone who's core job
> > > function is
> > > > > > >    computer security, rather than providing search (I'm hoping
> > the
> > > ASF
> > > > > > has
> > > > > > >    some people who secure their systems that could be a
> > resource).
> > > This
> > > > > > > person
> > > > > > >    should be willing to offer a systems security perspective on
> > our
> > > > > goals
> > > > > > > and
> > > > > > >    the security functionality we provide.
> > > > > > >    2. Develop a clear statement of the security use cases we
> > would
> > > like
> > > > > > to
> > > > > > >    support, and exposition of some scenarios that are clearly
> out
> > > of
> > > > > > scope.
> > > > > > >    This results in a proposal to be discussed on the dev list
> and
> > > users
> > > > > > > list
> > > > > > >    and eventually voted on.
> > > > > > >    3. Identification of use cases we would like to support that
> > > are not
> > > > > > yet
> > > > > > >    supported, and publicize them to encourage these
> > contributions.
> > > > > > >    4. Review of documentation to ensure consistency with our
> > > current
> > > > > > state
> > > > > > >    (security only, perhaps annually?).
> > > > > > >    5. Creation of a "security report checklist" that security
> > > > > researchers
> > > > > > >    can self apply before they submit reports.
> > > > > > >    6. Form letters for consistent response to reports that
> > haven't
> > > > > passed
> > > > > > >    the checklist.
> > > > > > >    7. Provide consistent and prompt responses to possible
> > > > > > >    vulnerabilities reported to security@apache.org. Those
> > > subscribed
> > > > > to
> > > > > > >    security@solr.apache.org who are not in the working group
> > > should
> > > > > > allow
> > > > > > >    the working group time to respond before responding
> > themselves.
> > > > > > >    8. When asked, offer opinions on  proposed new security
> > features
> > > > > > >    regarding consistency with the goals (working group to
> > discuss,
> > > > > return
> > > > > > > with
> > > > > > >    an opinion, always publically and just as a voice in the
> > > > > conversation,
> > > > > > > not
> > > > > > >    as any sort of veto/control, decisions are still up to the
> > list
> > > of
> > > > > > > course).
> > > > > > >
> > > > > > > NON-GOAL: The group is not responsible for fixing security bugs
> > or
> > > > > adding
> > > > > > > security features. (nothing stopping them of course, just not
> the
> > > point
> > > > > > of
> > > > > > > the group, which is a goal setting and consistency oriented
> > group)
> > > > > > >
> > > > > > > *Volunteer*
> > > > > > >
> > > > > > > And to lower the barrier to things started, I volunteer to
> > > participate
> > > > > in
> > > > > > > this WG for at least a year, and spend up to 2h/week on it. I
> > don't
> > > > > think
> > > > > > > any members should be expected to dedicate more than that to
> it,
> > > and
> > > > > > > probably many weeks the time required should be less.
> > > > > > >
> > > > > > > *Feedback*
> > > > > > >
> > > > > > > Of course if you think this idea can be tweaked or improved,
> > speak
> > > up!
> > > > > > The
> > > > > > > whole reason this is mailed to the dev list is to get broad
> > > feedback so
> > > > > > > that we can implement the best improvements possible.
> > > > > > >
> > > > > > > -Gus
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://www.needhamsoftware.com (work)
> > > > > http://www.the111shift.com (play)
> > > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > > For additional commands, e-mail: dev-help@solr.apache.org
> > >
> > >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

[Mike Drob <md...@mdrob.com>]

Howdy folks. I'd be happy to step into this working group.

On Mon, May 1, 2023 at 12:34 PM Gus Heck <gu...@gmail.com> wrote:

> Awesome, glad to have you Jason, I in the end feel the same way about my
> spot. Mostly I qualify as "concerned citizen", possibly with "who thought
> about it some and has ideas" added. If we get more than 5 volunteers we can
> start comparing credentials.
>
> On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <ge...@gmail.com>
> wrote:
>
> > Hi Gus,
> >
> > I think this is a great idea.
> >
> > I don't have much security background that'd make me a particularly
> > good fit, but absent someone with that background stepping up, I'm
> > willing to volunteer for one of the spots.  (I'd be more than happy to
> > bow out if better qualified folks come along.)
> >
> > Best,
> >
> > Jason
> >
> > On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org> wrote:
> > >
> > > Pretty sleepy thread so far; apparently nobody else is interested in
> > > talking about Solr security -- LOL ;-)
> > >
> > > ~ David Smiley
> > > Apache Lucene/Solr Search Developer
> > > http://www.linkedin.com/in/davidwsmiley
> > >
> > >
> > > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com> wrote:
> > >
> > > > Thanks David. It would be great to have you if you can find time for
> > it. As
> > > > far as time commitment goes, I think it should become minimal after a
> > while
> > > > unless we have a flood of security reports to respond to. For a
> little
> > > > while after initial organization, I think the members will want to
> put
> > a
> > > > bit of effort into hitting some of the goals I mentioned.
> > > >
> > > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org>
> > wrote:
> > > >
> > > > > This is a thoughtful organization attempt and needed, I think.
> > Thanks
> > > > Gus!
> > > > >
> > > > > I want to see if I could get a security specialist/engineer where I
> > work
> > > > to
> > > > > help us with this.  I'm tempted to say I'm joining this thing but
> I'm
> > > > weary
> > > > > of dedicating time per week.
> > > > >
> > > > > ~ David Smiley
> > > > > Apache Lucene/Solr Search Developer
> > > > > http://www.linkedin.com/in/davidwsmiley
> > > > >
> > > > >
> > > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com>
> wrote:
> > > > >
> > > > > > *Rationale*
> > > > > >
> > > > > > Over the course of the last decade the way software security is
> > viewed
> > > > > has
> > > > > > changed. Solr has changed significantly over this time too and we
> > have
> > > > > > gained some important security features and fixed a variety of
> > > > > > vulnerabilities. However, I think as a project we have not really
> > > > > developed
> > > > > > a clear vision of what our security goals and use cases are. I
> have
> > > > > > witnessed a fair bit of variability in the responses to security
> > > > related
> > > > > > queries, and I think much of the variability comes from
> conflation
> > > > among
> > > > > > "good practical advice", "somewhat dated advice" and "varying
> > notions
> > > > of
> > > > > > supported use cases". We also regularly receive reports to the
> > > > > > security@solr.apache.org address that involve investigations
> into
> > > > > systems
> > > > > > that are not properly secured to begin with or configured to
> > explicitly
> > > > > > allow the dangerous behavior and it's a shame to see security
> > > > researchers
> > > > > > waste their time on that. Finally, the PMC and set of people
> > subscribed
> > > > > to
> > > > > > security@solr.apache.org is a large enough group that incoming
> > mails
> > > > > often
> > > > > > seem to languish in a classic example of nobody having actual
> > specific
> > > > > > responsibility for responding.
> > > > > >
> > > > > > *Proposal*
> > > > > > The Solr PMC should appoint from among its members either 3 to 5
> > > > > > individuals to serve as a "security working group" Membership in
> > the
> > > > > > "Security Working Group" requires subscribing to
> > > > > security@solr.apache.org,
> > > > > > and a 30 minute conference call once or twice a month. This
> working
> > > > group
> > > > > > would have the following goals.
> > > > > >
> > > > > >    1. Establish a relationship with someone who's core job
> > function is
> > > > > >    computer security, rather than providing search (I'm hoping
> the
> > ASF
> > > > > has
> > > > > >    some people who secure their systems that could be a
> resource).
> > This
> > > > > > person
> > > > > >    should be willing to offer a systems security perspective on
> our
> > > > goals
> > > > > > and
> > > > > >    the security functionality we provide.
> > > > > >    2. Develop a clear statement of the security use cases we
> would
> > like
> > > > > to
> > > > > >    support, and exposition of some scenarios that are clearly out
> > of
> > > > > scope.
> > > > > >    This results in a proposal to be discussed on the dev list and
> > users
> > > > > > list
> > > > > >    and eventually voted on.
> > > > > >    3. Identification of use cases we would like to support that
> > are not
> > > > > yet
> > > > > >    supported, and publicize them to encourage these
> contributions.
> > > > > >    4. Review of documentation to ensure consistency with our
> > current
> > > > > state
> > > > > >    (security only, perhaps annually?).
> > > > > >    5. Creation of a "security report checklist" that security
> > > > researchers
> > > > > >    can self apply before they submit reports.
> > > > > >    6. Form letters for consistent response to reports that
> haven't
> > > > passed
> > > > > >    the checklist.
> > > > > >    7. Provide consistent and prompt responses to possible
> > > > > >    vulnerabilities reported to security@apache.org. Those
> > subscribed
> > > > to
> > > > > >    security@solr.apache.org who are not in the working group
> > should
> > > > > allow
> > > > > >    the working group time to respond before responding
> themselves.
> > > > > >    8. When asked, offer opinions on  proposed new security
> features
> > > > > >    regarding consistency with the goals (working group to
> discuss,
> > > > return
> > > > > > with
> > > > > >    an opinion, always publically and just as a voice in the
> > > > conversation,
> > > > > > not
> > > > > >    as any sort of veto/control, decisions are still up to the
> list
> > of
> > > > > > course).
> > > > > >
> > > > > > NON-GOAL: The group is not responsible for fixing security bugs
> or
> > > > adding
> > > > > > security features. (nothing stopping them of course, just not the
> > point
> > > > > of
> > > > > > the group, which is a goal setting and consistency oriented
> group)
> > > > > >
> > > > > > *Volunteer*
> > > > > >
> > > > > > And to lower the barrier to things started, I volunteer to
> > participate
> > > > in
> > > > > > this WG for at least a year, and spend up to 2h/week on it. I
> don't
> > > > think
> > > > > > any members should be expected to dedicate more than that to it,
> > and
> > > > > > probably many weeks the time required should be less.
> > > > > >
> > > > > > *Feedback*
> > > > > >
> > > > > > Of course if you think this idea can be tweaked or improved,
> speak
> > up!
> > > > > The
> > > > > > whole reason this is mailed to the dev list is to get broad
> > feedback so
> > > > > > that we can implement the best improvements possible.
> > > > > >
> > > > > > -Gus
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > http://www.needhamsoftware.com (work)
> > > > http://www.the111shift.com (play)
> > > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> > For additional commands, e-mail: dev-help@solr.apache.org
> >
> >
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

Awesome, glad to have you Jason, I in the end feel the same way about my
spot. Mostly I qualify as "concerned citizen", possibly with "who thought
about it some and has ideas" added. If we get more than 5 volunteers we can
start comparing credentials.

On Mon, May 1, 2023 at 1:17 PM Jason Gerlowski <ge...@gmail.com>
wrote:

> Hi Gus,
>
> I think this is a great idea.
>
> I don't have much security background that'd make me a particularly
> good fit, but absent someone with that background stepping up, I'm
> willing to volunteer for one of the spots.  (I'd be more than happy to
> bow out if better qualified folks come along.)
>
> Best,
>
> Jason
>
> On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org> wrote:
> >
> > Pretty sleepy thread so far; apparently nobody else is interested in
> > talking about Solr security -- LOL ;-)
> >
> > ~ David Smiley
> > Apache Lucene/Solr Search Developer
> > http://www.linkedin.com/in/davidwsmiley
> >
> >
> > On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com> wrote:
> >
> > > Thanks David. It would be great to have you if you can find time for
> it. As
> > > far as time commitment goes, I think it should become minimal after a
> while
> > > unless we have a flood of security reports to respond to. For a little
> > > while after initial organization, I think the members will want to put
> a
> > > bit of effort into hitting some of the goals I mentioned.
> > >
> > > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org>
> wrote:
> > >
> > > > This is a thoughtful organization attempt and needed, I think.
> Thanks
> > > Gus!
> > > >
> > > > I want to see if I could get a security specialist/engineer where I
> work
> > > to
> > > > help us with this.  I'm tempted to say I'm joining this thing but I'm
> > > weary
> > > > of dedicating time per week.
> > > >
> > > > ~ David Smiley
> > > > Apache Lucene/Solr Search Developer
> > > > http://www.linkedin.com/in/davidwsmiley
> > > >
> > > >
> > > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com> wrote:
> > > >
> > > > > *Rationale*
> > > > >
> > > > > Over the course of the last decade the way software security is
> viewed
> > > > has
> > > > > changed. Solr has changed significantly over this time too and we
> have
> > > > > gained some important security features and fixed a variety of
> > > > > vulnerabilities. However, I think as a project we have not really
> > > > developed
> > > > > a clear vision of what our security goals and use cases are. I have
> > > > > witnessed a fair bit of variability in the responses to security
> > > related
> > > > > queries, and I think much of the variability comes from conflation
> > > among
> > > > > "good practical advice", "somewhat dated advice" and "varying
> notions
> > > of
> > > > > supported use cases". We also regularly receive reports to the
> > > > > security@solr.apache.org address that involve investigations into
> > > > systems
> > > > > that are not properly secured to begin with or configured to
> explicitly
> > > > > allow the dangerous behavior and it's a shame to see security
> > > researchers
> > > > > waste their time on that. Finally, the PMC and set of people
> subscribed
> > > > to
> > > > > security@solr.apache.org is a large enough group that incoming
> mails
> > > > often
> > > > > seem to languish in a classic example of nobody having actual
> specific
> > > > > responsibility for responding.
> > > > >
> > > > > *Proposal*
> > > > > The Solr PMC should appoint from among its members either 3 to 5
> > > > > individuals to serve as a "security working group" Membership in
> the
> > > > > "Security Working Group" requires subscribing to
> > > > security@solr.apache.org,
> > > > > and a 30 minute conference call once or twice a month. This working
> > > group
> > > > > would have the following goals.
> > > > >
> > > > >    1. Establish a relationship with someone who's core job
> function is
> > > > >    computer security, rather than providing search (I'm hoping the
> ASF
> > > > has
> > > > >    some people who secure their systems that could be a resource).
> This
> > > > > person
> > > > >    should be willing to offer a systems security perspective on our
> > > goals
> > > > > and
> > > > >    the security functionality we provide.
> > > > >    2. Develop a clear statement of the security use cases we would
> like
> > > > to
> > > > >    support, and exposition of some scenarios that are clearly out
> of
> > > > scope.
> > > > >    This results in a proposal to be discussed on the dev list and
> users
> > > > > list
> > > > >    and eventually voted on.
> > > > >    3. Identification of use cases we would like to support that
> are not
> > > > yet
> > > > >    supported, and publicize them to encourage these contributions.
> > > > >    4. Review of documentation to ensure consistency with our
> current
> > > > state
> > > > >    (security only, perhaps annually?).
> > > > >    5. Creation of a "security report checklist" that security
> > > researchers
> > > > >    can self apply before they submit reports.
> > > > >    6. Form letters for consistent response to reports that haven't
> > > passed
> > > > >    the checklist.
> > > > >    7. Provide consistent and prompt responses to possible
> > > > >    vulnerabilities reported to security@apache.org. Those
> subscribed
> > > to
> > > > >    security@solr.apache.org who are not in the working group
> should
> > > > allow
> > > > >    the working group time to respond before responding themselves.
> > > > >    8. When asked, offer opinions on  proposed new security features
> > > > >    regarding consistency with the goals (working group to discuss,
> > > return
> > > > > with
> > > > >    an opinion, always publically and just as a voice in the
> > > conversation,
> > > > > not
> > > > >    as any sort of veto/control, decisions are still up to the list
> of
> > > > > course).
> > > > >
> > > > > NON-GOAL: The group is not responsible for fixing security bugs or
> > > adding
> > > > > security features. (nothing stopping them of course, just not the
> point
> > > > of
> > > > > the group, which is a goal setting and consistency oriented group)
> > > > >
> > > > > *Volunteer*
> > > > >
> > > > > And to lower the barrier to things started, I volunteer to
> participate
> > > in
> > > > > this WG for at least a year, and spend up to 2h/week on it. I don't
> > > think
> > > > > any members should be expected to dedicate more than that to it,
> and
> > > > > probably many weeks the time required should be less.
> > > > >
> > > > > *Feedback*
> > > > >
> > > > > Of course if you think this idea can be tweaked or improved, speak
> up!
> > > > The
> > > > > whole reason this is mailed to the dev list is to get broad
> feedback so
> > > > > that we can implement the best improvements possible.
> > > > >
> > > > > -Gus
> > > > >
> > > >
> > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
> For additional commands, e-mail: dev-help@solr.apache.org
>
>

-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

[Jason Gerlowski <ge...@gmail.com>]

Hi Gus,

I think this is a great idea.

I don't have much security background that'd make me a particularly
good fit, but absent someone with that background stepping up, I'm
willing to volunteer for one of the spots.  (I'd be more than happy to
bow out if better qualified folks come along.)

Best,

Jason

On Sun, Apr 30, 2023 at 7:14 PM David Smiley <ds...@apache.org> wrote:
>
> Pretty sleepy thread so far; apparently nobody else is interested in
> talking about Solr security -- LOL ;-)
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
>
>
> On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com> wrote:
>
> > Thanks David. It would be great to have you if you can find time for it. As
> > far as time commitment goes, I think it should become minimal after a while
> > unless we have a flood of security reports to respond to. For a little
> > while after initial organization, I think the members will want to put a
> > bit of effort into hitting some of the goals I mentioned.
> >
> > On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org> wrote:
> >
> > > This is a thoughtful organization attempt and needed, I think.  Thanks
> > Gus!
> > >
> > > I want to see if I could get a security specialist/engineer where I work
> > to
> > > help us with this.  I'm tempted to say I'm joining this thing but I'm
> > weary
> > > of dedicating time per week.
> > >
> > > ~ David Smiley
> > > Apache Lucene/Solr Search Developer
> > > http://www.linkedin.com/in/davidwsmiley
> > >
> > >
> > > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com> wrote:
> > >
> > > > *Rationale*
> > > >
> > > > Over the course of the last decade the way software security is viewed
> > > has
> > > > changed. Solr has changed significantly over this time too and we have
> > > > gained some important security features and fixed a variety of
> > > > vulnerabilities. However, I think as a project we have not really
> > > developed
> > > > a clear vision of what our security goals and use cases are. I have
> > > > witnessed a fair bit of variability in the responses to security
> > related
> > > > queries, and I think much of the variability comes from conflation
> > among
> > > > "good practical advice", "somewhat dated advice" and "varying notions
> > of
> > > > supported use cases". We also regularly receive reports to the
> > > > security@solr.apache.org address that involve investigations into
> > > systems
> > > > that are not properly secured to begin with or configured to explicitly
> > > > allow the dangerous behavior and it's a shame to see security
> > researchers
> > > > waste their time on that. Finally, the PMC and set of people subscribed
> > > to
> > > > security@solr.apache.org is a large enough group that incoming mails
> > > often
> > > > seem to languish in a classic example of nobody having actual specific
> > > > responsibility for responding.
> > > >
> > > > *Proposal*
> > > > The Solr PMC should appoint from among its members either 3 to 5
> > > > individuals to serve as a "security working group" Membership in the
> > > > "Security Working Group" requires subscribing to
> > > security@solr.apache.org,
> > > > and a 30 minute conference call once or twice a month. This working
> > group
> > > > would have the following goals.
> > > >
> > > >    1. Establish a relationship with someone who's core job function is
> > > >    computer security, rather than providing search (I'm hoping the ASF
> > > has
> > > >    some people who secure their systems that could be a resource). This
> > > > person
> > > >    should be willing to offer a systems security perspective on our
> > goals
> > > > and
> > > >    the security functionality we provide.
> > > >    2. Develop a clear statement of the security use cases we would like
> > > to
> > > >    support, and exposition of some scenarios that are clearly out of
> > > scope.
> > > >    This results in a proposal to be discussed on the dev list and users
> > > > list
> > > >    and eventually voted on.
> > > >    3. Identification of use cases we would like to support that are not
> > > yet
> > > >    supported, and publicize them to encourage these contributions.
> > > >    4. Review of documentation to ensure consistency with our current
> > > state
> > > >    (security only, perhaps annually?).
> > > >    5. Creation of a "security report checklist" that security
> > researchers
> > > >    can self apply before they submit reports.
> > > >    6. Form letters for consistent response to reports that haven't
> > passed
> > > >    the checklist.
> > > >    7. Provide consistent and prompt responses to possible
> > > >    vulnerabilities reported to security@apache.org. Those subscribed
> > to
> > > >    security@solr.apache.org who are not in the working group should
> > > allow
> > > >    the working group time to respond before responding themselves.
> > > >    8. When asked, offer opinions on  proposed new security features
> > > >    regarding consistency with the goals (working group to discuss,
> > return
> > > > with
> > > >    an opinion, always publically and just as a voice in the
> > conversation,
> > > > not
> > > >    as any sort of veto/control, decisions are still up to the list of
> > > > course).
> > > >
> > > > NON-GOAL: The group is not responsible for fixing security bugs or
> > adding
> > > > security features. (nothing stopping them of course, just not the point
> > > of
> > > > the group, which is a goal setting and consistency oriented group)
> > > >
> > > > *Volunteer*
> > > >
> > > > And to lower the barrier to things started, I volunteer to participate
> > in
> > > > this WG for at least a year, and spend up to 2h/week on it. I don't
> > think
> > > > any members should be expected to dedicate more than that to it, and
> > > > probably many weeks the time required should be less.
> > > >
> > > > *Feedback*
> > > >
> > > > Of course if you think this idea can be tweaked or improved, speak up!
> > > The
> > > > whole reason this is mailed to the dev list is to get broad feedback so
> > > > that we can implement the best improvements possible.
> > > >
> > > > -Gus
> > > >
> > >
> >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@solr.apache.org
For additional commands, e-mail: dev-help@solr.apache.org

Re: [Proposal] Security Working Group

[David Smiley <ds...@apache.org>]

Pretty sleepy thread so far; apparently nobody else is interested in
talking about Solr security -- LOL ;-)

~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley


On Wed, Apr 26, 2023 at 8:25 AM Gus Heck <gu...@gmail.com> wrote:

> Thanks David. It would be great to have you if you can find time for it. As
> far as time commitment goes, I think it should become minimal after a while
> unless we have a flood of security reports to respond to. For a little
> while after initial organization, I think the members will want to put a
> bit of effort into hitting some of the goals I mentioned.
>
> On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org> wrote:
>
> > This is a thoughtful organization attempt and needed, I think.  Thanks
> Gus!
> >
> > I want to see if I could get a security specialist/engineer where I work
> to
> > help us with this.  I'm tempted to say I'm joining this thing but I'm
> weary
> > of dedicating time per week.
> >
> > ~ David Smiley
> > Apache Lucene/Solr Search Developer
> > http://www.linkedin.com/in/davidwsmiley
> >
> >
> > On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com> wrote:
> >
> > > *Rationale*
> > >
> > > Over the course of the last decade the way software security is viewed
> > has
> > > changed. Solr has changed significantly over this time too and we have
> > > gained some important security features and fixed a variety of
> > > vulnerabilities. However, I think as a project we have not really
> > developed
> > > a clear vision of what our security goals and use cases are. I have
> > > witnessed a fair bit of variability in the responses to security
> related
> > > queries, and I think much of the variability comes from conflation
> among
> > > "good practical advice", "somewhat dated advice" and "varying notions
> of
> > > supported use cases". We also regularly receive reports to the
> > > security@solr.apache.org address that involve investigations into
> > systems
> > > that are not properly secured to begin with or configured to explicitly
> > > allow the dangerous behavior and it's a shame to see security
> researchers
> > > waste their time on that. Finally, the PMC and set of people subscribed
> > to
> > > security@solr.apache.org is a large enough group that incoming mails
> > often
> > > seem to languish in a classic example of nobody having actual specific
> > > responsibility for responding.
> > >
> > > *Proposal*
> > > The Solr PMC should appoint from among its members either 3 to 5
> > > individuals to serve as a "security working group" Membership in the
> > > "Security Working Group" requires subscribing to
> > security@solr.apache.org,
> > > and a 30 minute conference call once or twice a month. This working
> group
> > > would have the following goals.
> > >
> > >    1. Establish a relationship with someone who's core job function is
> > >    computer security, rather than providing search (I'm hoping the ASF
> > has
> > >    some people who secure their systems that could be a resource). This
> > > person
> > >    should be willing to offer a systems security perspective on our
> goals
> > > and
> > >    the security functionality we provide.
> > >    2. Develop a clear statement of the security use cases we would like
> > to
> > >    support, and exposition of some scenarios that are clearly out of
> > scope.
> > >    This results in a proposal to be discussed on the dev list and users
> > > list
> > >    and eventually voted on.
> > >    3. Identification of use cases we would like to support that are not
> > yet
> > >    supported, and publicize them to encourage these contributions.
> > >    4. Review of documentation to ensure consistency with our current
> > state
> > >    (security only, perhaps annually?).
> > >    5. Creation of a "security report checklist" that security
> researchers
> > >    can self apply before they submit reports.
> > >    6. Form letters for consistent response to reports that haven't
> passed
> > >    the checklist.
> > >    7. Provide consistent and prompt responses to possible
> > >    vulnerabilities reported to security@apache.org. Those subscribed
> to
> > >    security@solr.apache.org who are not in the working group should
> > allow
> > >    the working group time to respond before responding themselves.
> > >    8. When asked, offer opinions on  proposed new security features
> > >    regarding consistency with the goals (working group to discuss,
> return
> > > with
> > >    an opinion, always publically and just as a voice in the
> conversation,
> > > not
> > >    as any sort of veto/control, decisions are still up to the list of
> > > course).
> > >
> > > NON-GOAL: The group is not responsible for fixing security bugs or
> adding
> > > security features. (nothing stopping them of course, just not the point
> > of
> > > the group, which is a goal setting and consistency oriented group)
> > >
> > > *Volunteer*
> > >
> > > And to lower the barrier to things started, I volunteer to participate
> in
> > > this WG for at least a year, and spend up to 2h/week on it. I don't
> think
> > > any members should be expected to dedicate more than that to it, and
> > > probably many weeks the time required should be less.
> > >
> > > *Feedback*
> > >
> > > Of course if you think this idea can be tweaked or improved, speak up!
> > The
> > > whole reason this is mailed to the dev list is to get broad feedback so
> > > that we can implement the best improvements possible.
> > >
> > > -Gus
> > >
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: [Proposal] Security Working Group

[Gus Heck <gu...@gmail.com>]

Thanks David. It would be great to have you if you can find time for it. As
far as time commitment goes, I think it should become minimal after a while
unless we have a flood of security reports to respond to. For a little
while after initial organization, I think the members will want to put a
bit of effort into hitting some of the goals I mentioned.

On Tue, Apr 25, 2023 at 12:28 AM David Smiley <ds...@apache.org> wrote:

> This is a thoughtful organization attempt and needed, I think.  Thanks Gus!
>
> I want to see if I could get a security specialist/engineer where I work to
> help us with this.  I'm tempted to say I'm joining this thing but I'm weary
> of dedicating time per week.
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
>
>
> On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com> wrote:
>
> > *Rationale*
> >
> > Over the course of the last decade the way software security is viewed
> has
> > changed. Solr has changed significantly over this time too and we have
> > gained some important security features and fixed a variety of
> > vulnerabilities. However, I think as a project we have not really
> developed
> > a clear vision of what our security goals and use cases are. I have
> > witnessed a fair bit of variability in the responses to security related
> > queries, and I think much of the variability comes from conflation among
> > "good practical advice", "somewhat dated advice" and "varying notions of
> > supported use cases". We also regularly receive reports to the
> > security@solr.apache.org address that involve investigations into
> systems
> > that are not properly secured to begin with or configured to explicitly
> > allow the dangerous behavior and it's a shame to see security researchers
> > waste their time on that. Finally, the PMC and set of people subscribed
> to
> > security@solr.apache.org is a large enough group that incoming mails
> often
> > seem to languish in a classic example of nobody having actual specific
> > responsibility for responding.
> >
> > *Proposal*
> > The Solr PMC should appoint from among its members either 3 to 5
> > individuals to serve as a "security working group" Membership in the
> > "Security Working Group" requires subscribing to
> security@solr.apache.org,
> > and a 30 minute conference call once or twice a month. This working group
> > would have the following goals.
> >
> >    1. Establish a relationship with someone who's core job function is
> >    computer security, rather than providing search (I'm hoping the ASF
> has
> >    some people who secure their systems that could be a resource). This
> > person
> >    should be willing to offer a systems security perspective on our goals
> > and
> >    the security functionality we provide.
> >    2. Develop a clear statement of the security use cases we would like
> to
> >    support, and exposition of some scenarios that are clearly out of
> scope.
> >    This results in a proposal to be discussed on the dev list and users
> > list
> >    and eventually voted on.
> >    3. Identification of use cases we would like to support that are not
> yet
> >    supported, and publicize them to encourage these contributions.
> >    4. Review of documentation to ensure consistency with our current
> state
> >    (security only, perhaps annually?).
> >    5. Creation of a "security report checklist" that security researchers
> >    can self apply before they submit reports.
> >    6. Form letters for consistent response to reports that haven't passed
> >    the checklist.
> >    7. Provide consistent and prompt responses to possible
> >    vulnerabilities reported to security@apache.org. Those subscribed to
> >    security@solr.apache.org who are not in the working group should
> allow
> >    the working group time to respond before responding themselves.
> >    8. When asked, offer opinions on  proposed new security features
> >    regarding consistency with the goals (working group to discuss, return
> > with
> >    an opinion, always publically and just as a voice in the conversation,
> > not
> >    as any sort of veto/control, decisions are still up to the list of
> > course).
> >
> > NON-GOAL: The group is not responsible for fixing security bugs or adding
> > security features. (nothing stopping them of course, just not the point
> of
> > the group, which is a goal setting and consistency oriented group)
> >
> > *Volunteer*
> >
> > And to lower the barrier to things started, I volunteer to participate in
> > this WG for at least a year, and spend up to 2h/week on it. I don't think
> > any members should be expected to dedicate more than that to it, and
> > probably many weeks the time required should be less.
> >
> > *Feedback*
> >
> > Of course if you think this idea can be tweaked or improved, speak up!
> The
> > whole reason this is mailed to the dev list is to get broad feedback so
> > that we can implement the best improvements possible.
> >
> > -Gus
> >
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: [Proposal] Security Working Group

[David Smiley <ds...@apache.org>]

This is a thoughtful organization attempt and needed, I think.  Thanks Gus!

I want to see if I could get a security specialist/engineer where I work to
help us with this.  I'm tempted to say I'm joining this thing but I'm weary
of dedicating time per week.

~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley


On Mon, Apr 24, 2023 at 1:33 PM Gus Heck <gu...@gmail.com> wrote:

> *Rationale*
>
> Over the course of the last decade the way software security is viewed has
> changed. Solr has changed significantly over this time too and we have
> gained some important security features and fixed a variety of
> vulnerabilities. However, I think as a project we have not really developed
> a clear vision of what our security goals and use cases are. I have
> witnessed a fair bit of variability in the responses to security related
> queries, and I think much of the variability comes from conflation among
> "good practical advice", "somewhat dated advice" and "varying notions of
> supported use cases". We also regularly receive reports to the
> security@solr.apache.org address that involve investigations into systems
> that are not properly secured to begin with or configured to explicitly
> allow the dangerous behavior and it's a shame to see security researchers
> waste their time on that. Finally, the PMC and set of people subscribed to
> security@solr.apache.org is a large enough group that incoming mails often
> seem to languish in a classic example of nobody having actual specific
> responsibility for responding.
>
> *Proposal*
> The Solr PMC should appoint from among its members either 3 to 5
> individuals to serve as a "security working group" Membership in the
> "Security Working Group" requires subscribing to security@solr.apache.org,
> and a 30 minute conference call once or twice a month. This working group
> would have the following goals.
>
>    1. Establish a relationship with someone who's core job function is
>    computer security, rather than providing search (I'm hoping the ASF has
>    some people who secure their systems that could be a resource). This
> person
>    should be willing to offer a systems security perspective on our goals
> and
>    the security functionality we provide.
>    2. Develop a clear statement of the security use cases we would like to
>    support, and exposition of some scenarios that are clearly out of scope.
>    This results in a proposal to be discussed on the dev list and users
> list
>    and eventually voted on.
>    3. Identification of use cases we would like to support that are not yet
>    supported, and publicize them to encourage these contributions.
>    4. Review of documentation to ensure consistency with our current state
>    (security only, perhaps annually?).
>    5. Creation of a "security report checklist" that security researchers
>    can self apply before they submit reports.
>    6. Form letters for consistent response to reports that haven't passed
>    the checklist.
>    7. Provide consistent and prompt responses to possible
>    vulnerabilities reported to security@apache.org. Those subscribed to
>    security@solr.apache.org who are not in the working group should allow
>    the working group time to respond before responding themselves.
>    8. When asked, offer opinions on  proposed new security features
>    regarding consistency with the goals (working group to discuss, return
> with
>    an opinion, always publically and just as a voice in the conversation,
> not
>    as any sort of veto/control, decisions are still up to the list of
> course).
>
> NON-GOAL: The group is not responsible for fixing security bugs or adding
> security features. (nothing stopping them of course, just not the point of
> the group, which is a goal setting and consistency oriented group)
>
> *Volunteer*
>
> And to lower the barrier to things started, I volunteer to participate in
> this WG for at least a year, and spend up to 2h/week on it. I don't think
> any members should be expected to dedicate more than that to it, and
> probably many weeks the time required should be less.
>
> *Feedback*
>
> Of course if you think this idea can be tweaked or improved, speak up! The
> whole reason this is mailed to the dev list is to get broad feedback so
> that we can implement the best improvements possible.
>
> -Gus
>