Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance relea

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"

From: Jan Westerkamp <jan.westerkamp@xxxxxxx>
Date: Tue, 8 Aug 2023 16:55:19 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ijug.eu; dmarc=pass action=none header.from=ijug.eu; dkim=pass header.d=ijug.eu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=I2wC/MvCA+WIEfULZY2in0yUDhdX8fw0SeTrTTE5SjE=; b=CLOPHsnlVdZ2x+SnmPMX4gL1xn46aoyG+vd/zF/zRO5rEoUBvx7UrAUW/9MMNV5k0xr9N8icmpWl+7EU93Xga9t7dpv8S1o/bMr7N4DMBNK1E9Cv9MeqKBUanRMD1N5BEDz8jc+jEDY4vxoIGhAczE+n7J5UaZeetPoH8HvjMm/RuE1RP5lLndTyPTllyi0XQy7zZn+Hpze5HU9qc5+6FJJecemxRGn86o/LvszSKMWbmxwg0KMhxiWAxUq8n4sixubOw5AqPSXzqfsLM0wfu2mFN23m93aeQKuhC9z1uGnf1+OJkhuzy+vGYugY5gnD6kBFEkNCqzpqspgiEMRKLg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aSkKbyRp89LtbbKNBmAAuQj9tRdbbyFLSqjL6qdpdpHNL8ptdIzBL4HS3gEnhDmzXt9UJP16p118lBhkwfsLIZPi5y25ikL2PY0sMrETbXtRszkhuHOuEQ7LhavnrFQ3P1PZErJ3m8KI1YrDy9mC3tk0XqejloTgndA4idue6+h4hfEgkl8JB47Yf1ddAffKE3TQJO1UDwCfG2uK4wHSDtmheTFVX+AJ3zsPhC7lPkAcMPnmBwbtMc04n2rY7j+d9B83oaYJd7qlA9aWRpTOxEbwgWcpxkAFMAcYz0dlZxwCBhDTLZaebtjOoODZBiK8x1VdEpv6MCsbiyyD6TlPgg==
Delivered-to: jakartaee-platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakartaee-platform-dev/>
List-help: <mailto:jakartaee-platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla Thunderbird

Hi Scott,

I disagree:

The current situation is not sufficient at all:

We are not able to organise thinks in a form, that we are able to fixknown CVEs in a given time - let's say 90 days, as shown with thecurrent reported two issues form myself.I recognised, reporting security issues on the (at that time) intendedway is not enough to get them fixed.If I want to get it done, then I have to do it by myself. I am in aposition where I can push things forward - but it takes very much timeand resources to fix it everywhere (completely) at the moment.A normal Contributor, who only is being able to report the issue (andthis should be welcome too), can only hope it will be done in some (far)future...


And doing a Service Release on my own is another security issue:

If one of us get hacked his/her credentials could be used to publish arelease on Maven Central with the attack included! Such a release willbe advertised to others by i.e. Dependabot then before somebodyrecognise it as harmful and we again can do a Service Release to fix it...

So I think there must be some improvement in our JESP (And EFSP,MPSP...) to raise the barrier to prevent this happen.It also should prevent worse things happen, if anybody changes to thedark side - even if I don't expect this now for all the communitymembers I know and trust well, but this is how zero trust works.

We have existing and upcoming regulation in the US and the EU thatrequires us to make progress, if Jakarta EE is used in criticalenvironments in the future too.

And there are organisations that are responsible to do it and get paidfor this already: Some companies sell Licences, SaaS-Offerings andSubscriptions to customers, who expect maintenance is done. Some ofthese Organisations pay for the EF Membership and the Jakarta EE WGMembership. The EF pays their staff for doing work in this direction etc.

So expecting community volunteers doing it seams not the best solutionto me.

I am not sure we need a (separate) role, but we need to do some progressin the security aspect.


Best,

Jan


Am 01.08.23 um 22:25 schrieb Scott Stark via jakartaee-platform-dev:

On Tue, Aug 1, 2023 at 12:41 PM Edward Burns via
jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:

Do we need this role?

No. The platform and profile releases are major release only type of
specifications. Service releases for CVEs are the only thing I can
see, maybe doing something for until the next major release is out.

How rigorously do we need to define it?

Not at all.
_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

Follow-Ups:
- Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
  - From: Scott Stark

References:
- [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
  - From: Edward Burns
- Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
  - From: Scott Stark

Prev by Date: Re: [jakartaee-platform-dev] [BALLOT] Include Jakarta NoSQL in EE 11
Next by Date: Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
Previous by thread: Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
Next by thread: Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator"
Index(es):
- Date
- Thread

Breadcrumbs