Versions Compared

Old Version 2

changes.mady.by.user Sam Ruby

Saved on

compared with

New Version 3

changes.mady.by.user Mark J. Cox

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add headings and statement section tbd

*** Unsent and unapproved draft ***

How the ASF keeps our projects secure

(add 3-4 bullet points about our controls and processes here and how they help, lead to these as recommended practices)

About the recent issues in log4j

Before jumping directly into what positions we have at the ASF, it is worth describing the factors contributing to the recent log4j vulnerability.  Our recommendations are based on those experiences.

...

Since the vulnerability was disclosed, we had a number of inquiries from people trying to determine out if they were affected by this vulnerability.  It turns out many were running log4j version 1, which was discontinued in 2015.  The good news is that this particular vulnerability does not affect them.  The bad news is that the code they are running has not benefited from any security fixes in many years.

Recommendations

These experiences inform our positions on a number of items.

  • We support the notion of identifying critical components, even though that process is always going to be incomplete and imperfect.  As our software is without cost and can be downloaded by anybody, we have no way of knowing how widely our projects are used.  This means that by necessity determining if a component is critical can only either be determined by indirect means such as download counts, or by identifying critical products first, and then getting an inventory of what components those products embed.
  • We eagerly welcome audits and fixes from any source.  We have a process defined for doing so: https://www.apache.org/security/.  Our one caution is that we have prior experiences with audits and it is not productive when those audits produce a number of false positives.  See https://s.apache.org/fhoji.  It is worth noting that many automated means of performing an audit are more suited to detecting bugs inside a single component rather than identifying a vulnerability that is composed of combination of intentional features such as the one we saw with log4j.
  • The problem of not knowing where our releases are being used needs to be fixed.  This problem is not unique to the ASF, so it makes sense for there to be industry standards and best practices.  We are prepared to participate in these activities.
  • It is particularly frustrating to us that we can produces fixes in a matter of days or weeks and not to have those fixes be picked up for months or years.  This is the problem that we see as most pressing.

...