Re: [glassfish-dev] Glassfish project committers and EF Gitlab

["Hiroki Sawamura (Fujitsu)" <sawamura.hiroki@xxxxxxxxxxx>]

HI

For now, it would be best to make the vulnerability report accessible to GlassFish committers who have GitLab accounts.

Kind regards,
Hiroki

From: glassfish-dev <glassfish-dev-bounces@xxxxxxxxxxx> On Behalf Of Marta Rybczynska via glassfish-dev
Sent: Tuesday, July 23, 2024 4:37 PM
To: david.matejcek@xxxxxxxxxxx; glassfish developer discussions <glassfish-dev@xxxxxxxxxxx>
Cc: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [glassfish-dev] Glassfish project committers and EF Gitlab

Hello David and team,
I leave a solution to the Glassfish project team, you are the best ones to know how to handle it. What the Security Team needs to know is whom to add to security tickets. In your case, there is a big number of committers, and probably not everyone is needed for each issue. Please discuss between you, and tell us what is the way to follow. The Glassfish project is receiving vulnerability reports regularly (what is a good thing: a sign that there are users!) so it is good to have the best set of people for resolving them from the first day. We can have a chat/video call if you want to discuss options and procedures.

Kind regards,
Marta

On Mon, Jul 22, 2024 at 7:18 PM David Matejcek via glassfish-dev <mailto:glassfish-dev@xxxxxxxxxxx> wrote:
Hi, 

we discussed some time ago that we should do some cleanup in committers - some names are really inactive, some do PRs once per year, and we can ask the rest to do the login in a month?
Also - is it a problem just to not add people missing in GitLab?
-- 
David Matejcek | OmniFish
mailto:david.matejcek@xxxxxxxxxxx


On 22. 07. 24 11:37, Marta Rybczynska via glassfish-dev wrote:
Hello Glassfish team,
The Eclipse Foundation receives potential vulnerability reports from different sources and is redirecting them to different projects, in this case the Glassfish project.

Technically, those reports end up as confidential issues in https://gitlab.eclipse.org/security/vulnerability-reports/ and are made public when the issue has been resolved. Currently we are adding the Project Leads of Glassfish to those issues. For most other projects, we're adding all the Committers - however we have one difficulty in the Glassfish situation. The difficulty is that there are quite many committers who have never logged in to the Eclipse Foundation GitLab instance, and because of that they cannot be added to any issues.

If the project wants more people to be added to those issues, we need to solve them: either everyone logs in at least once, or the Project decides to retire the Committer status from people who have been inactive for a long time. >From a quick look, most of the people on the list have not contributed for a long time.

Committers who have never logged in to the EF GitLab instance:
https://www.eclipse.org/user/abandyopadhyay5jw
https://www.eclipse.org/user/ajosephmin
https://www.eclipse.org/user/apielagewgt
https://www.eclipse.org/user/jkumarwkl
https://www.eclipse.org/user/rgrcourt
https://www.eclipse.org/user/tyoshitomi
https://www.eclipse.org/user/pbhatvbu
https://www.eclipse.org/user/tkraus
https://www.eclipse.org/user/gguptael7
https://www.eclipse.org/user/gerdogdunla
https://www.eclipse.org/user/alfonsoaltamirano
https://www.eclipse.org/user/paubrecht
https://www.eclipse.org/user/rgoldtef
What do you think?

Kind regards,
Marta Rybczynska
Technical Program Manager, Security Team, Eclipse Foundation

_______________________________________________
glassfish-dev mailing list
mailto:glassfish-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/glassfish-dev

_______________________________________________
glassfish-dev mailing list
mailto:glassfish-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/glassfish-dev