Project and Community Services the Apache Way
2 likes412 views
The document outlines the mission and services of the Apache Software Foundation (ASF), a charitable organization that supports open source software projects. It emphasizes the ASF's commitment to providing a neutral space for independent projects and discusses the importance of community best practices and security protocols. Additionally, it highlights a specific security vulnerability report process within the ASF.
![Dear Apache <project> PMC,
The attached security vulnerability report has been received
by the Apache Security Team and is being passed to you
for action.
Please take careful note of the following:
- This information is private and should be treated accordingly. The
issue must not be discussed on a public mailing list, it must not
be added to a public bug tracker, etc.
- The <project> PMC is responsible for resolving this issue. The
security team is here to provide help and advice but the
responsibility to do the work lies with the <project> PMC.
You may find the "ASF Project Security for Committers" [1] a useful
reference. This e-mail represents step 3 of that process.
Step 4 should be completed asap.
Kind regards,
Mark, for the Apache Security Team
[1] http://www.apache.org/security/committers.html
security@
apache
->
project](https://image.slidesharecdn.com/ossparis-community-summit-2017-apache-171208105052/85/Project-and-Community-Services-the-Apache-Way-16-320.jpg)
Project and Community Services the Apache Way
- 1. Project + Community Services The Apache Way slides revision: 2017-12-06 - photos: Adobe Stock, unless otherwise specified Emmanuel Lécharny - @elecharny_tek Apache Software Foundation Member Software Architect, Symas Bertrand Delacrétaz - @bdelacretaz Member of the Board of Directors, Apache Software Foundation Principal Scientist, Adobe Research Switzerland Paris Open Source Summit 2017 - Community Summit
- 2. What?
- 3. The ASF’s Mission The Apache Software Foundation (ASF) is a US 501(c)(3) charitable organization. Its mission is to provide Open Source software for the public good. We do this by providing services and support for many like-minded software project communities of individuals who choose to join the ASF. https://www.apache.org/foundation/ A neutral space in which projects which are independent from any corporate influence can prosper and create Open Source software for the public good. Under the business-friendly Apache License 2.0 photos: http://archive.apachecon.com/c/
- 4. About 300 top-level projects, 50 in incubation and 40 in attic.apache.org Clean retirement is part of the ASF project’s lifecycle
- 5. Which parts of the value chain? Documentation Marketing Packaging Configuration Helpdesk Operations source code product system Architecture Development Tests unitaires Write source code, distribute and document it…that’s all.
- 6. Services?
- 7. Neutral independent space Nobody can pull the plug…
- 8. sim ple, solid infrastructure build track talk code on to the next 50 years…
- 11. Tradem arks
- 12. Value Chain?
- 13. Value chain? source code product system Write source code, distribute and document it… that’s all. The ASF’s services are primarily meant for its projects and developers - users will need some assembly.
- 14. Example: security at the ASF
- 15. -------- Forwarded Message -------- Subject: Command Injection through LDAP CSV export Date: Mon, 30 Nov 2015 00:12:52 +0500 From: xxx@gmail.com> To: security@apache.org Hello there Apache team, This is Whitehat and i would like to report a command injection vulnerability in the Apache <project> CSV export feature described in https://<project>.apache.org/<project>users-guide/tools_csvexport_wizard.html The "CSV export" feature of Apache Activity records that sends out does not properly "escape" fields. This allows malicious users to turn the editable fields into active content so when that when users downloads the ticket data csv and opens it, the active content gets executed. Mitigation Ensure all fields are properly "escaped" before returning the CSV file to the user. ALARM all hands on deck!
- 16. Dear Apache <project> PMC, The attached security vulnerability report has been received by the Apache Security Team and is being passed to you for action. Please take careful note of the following: - This information is private and should be treated accordingly. The issue must not be discussed on a public mailing list, it must not be added to a public bug tracker, etc. - The <project> PMC is responsible for resolving this issue. The security team is here to provide help and advice but the responsibility to do the work lies with the <project> PMC. You may find the "ASF Project Security for Committers" [1] a useful reference. This e-mail represents step 3 of that process. Step 4 should be completed asap. Kind regards, Mark, for the Apache Security Team [1] http://www.apache.org/security/committers.html security@ apache -> project
- 18. Due diligence: your business - your responsibility ! Don’t blame OSS for not doing your job… Read the OSS “fine print”… Don’t you love those security reports? “12. DISCLAIMER OF WARRANTY. The software is licensed “as-is.” You bear the risk of using it. XXX gives no express warranties, guarantees or conditions.” (where XXX is a closed source vendor…)