Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] DISCUSS: Define role for "maintenance release coordinator" 
Where are the reported CVEs?

On Tue, Aug 8, 2023 at 8:55 AM Jan Westerkamp via
jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:
>
> Hi Scott,
>
> I disagree:
>
> The current situation is not sufficient at all:
>
> We are not able to organise thinks in a form, that we are able to fix
> known CVEs in a given time - let's say 90 days, as shown with the
> current reported two issues form myself.
> I recognised, reporting security issues on the (at that time) intended
> way is not enough to get them fixed.
> If I want to get it done, then I have to do it by myself. I am in a
> position where I can push things forward - but it takes very much time
> and resources to fix it everywhere (completely) at the moment.
> A normal Contributor, who only is being able to report the issue (and
> this should be welcome too), can only hope it will be done in some (far)
> future...
>
> And doing a Service Release on my own is another security issue:
> If one of us get hacked his/her credentials could be used to publish a
> release on Maven Central with the attack included! Such a release will
> be advertised to others by i.e. Dependabot then before somebody
> recognise it as harmful and we again can do a Service Release to fix it...
>
> So I think there must be some improvement in our JESP (And EFSP,
> MPSP...) to raise the barrier to prevent this happen.
> It also should prevent worse things happen, if anybody changes to the
> dark side - even if I don't expect this now for all the community
> members I know and trust well, but this is how zero trust works.
>
> We have existing and upcoming regulation in the US and the EU that
> requires us to make progress, if Jakarta EE is used in critical
> environments in the future too.
>
> And there are organisations that are responsible to do it and get paid
> for this already: Some companies sell Licences, SaaS-Offerings and
> Subscriptions to customers, who expect maintenance is done. Some of
> these Organisations pay for the EF Membership and the Jakarta EE WG
> Membership. The EF pays their staff for doing work in this direction etc.
>
> So expecting community volunteers doing it seams not the best solution
> to me.
>
> I am not sure we need a (separate) role, but we need to do some progress
> in the security aspect.
>
> Best,
>
> Jan
>
>
> Am 01.08.23 um 22:25 schrieb Scott Stark via jakartaee-platform-dev:
> > On Tue, Aug 1, 2023 at 12:41 PM Edward Burns via
> > jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:
> >> Do we need this role?
> > No. The platform and profile releases are major release only type of
> > specifications. Service releases for CVEs are the only thing I can
> > see, maybe doing something for until the next major release is out.
> >
> >> How rigorously do we need to define it?
> >>
> > Not at all.
> > _______________________________________________
> > jakartaee-platform-dev mailing list
> > jakartaee-platform-dev@xxxxxxxxxxx
> > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev
>
>
> _______________________________________________
> jakartaee-platform-dev mailing list
> jakartaee-platform-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

Back to the top