Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update security policy and add CVE info #24769

Merged
merged 3 commits into from
Jul 26, 2023

Conversation

dpgaspar
Copy link
Member

SUMMARY

By Apache Foundation recommendation this PR adds a comprehensive list of currently public CVEs by release to our docs
Also updates our current security policy to make it more comprehensive and adds a link to the CVEs.

Screenshot 2023-07-21 at 14 07 51

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@rusackas
Copy link
Member

I love it! Thank you for adding this. I guess just one question around the policy for the CVE page. It seems we have a few options, and I'm curious your intent:

  1. We can keep adding new versions, and maintaining the lists for the old versions
  2. We can keep adding new versions, and backfill prior versions as well
  3. We can add/trim entries to cover only the supported releases (last two major and/or minor versions, and patches thereof).

@dpgaspar
Copy link
Member Author

I love it! Thank you for adding this. I guess just one question around the policy for the CVE page. It seems we have a few options, and I'm curious your intent:

  1. We can keep adding new versions, and maintaining the lists for the old versions
  2. We can keep adding new versions, and backfill prior versions as well
  3. We can add/trim entries to cover only the supported releases (last two major and/or minor versions, and patches thereof).

My take is to handle this like a release note, so when a CVE is made public (normally a bit after a new release) we just append to the doc. So this means the CVEs are inserted on the release where they got solved. So 1 or 3.

What do you think?

@dpgaspar dpgaspar closed this Jul 25, 2023
@dpgaspar dpgaspar reopened this Jul 25, 2023
@dpgaspar dpgaspar merged commit 165afee into apache:master Jul 26, 2023
@dpgaspar dpgaspar deleted the docs/security-policy-upd branch July 26, 2023 13:21
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Jul 26, 2023
michael-s-molina pushed a commit that referenced this pull request Jul 26, 2023
@mistercrunch mistercrunch added 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
vinothkumar66 pushed a commit to vinothkumar66/superset that referenced this pull request Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants