Skip to content

Trust page: explain the security advisory workload and why a busy advisory page is a good sign#1695

Merged
oscerd merged 1 commit into
apache:mainfrom
oscerd:trust-proactive-security-section
Jul 13, 2026
Merged

Trust page: explain the security advisory workload and why a busy advisory page is a good sign#1695
oscerd merged 1 commit into
apache:mainfrom
oscerd:trust-proactive-security-section

Conversation

@oscerd

@oscerd oscerd commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Recent releases have shipped a large batch of CVE advisories. This adds a box to the Trust by Default page that addresses that head-on: it frames the volume as evidence of an active security effort rather than a leaky framework, and explains the work and timing behind each advisory.

The new box sits directly after "Security handled in the open", so the two read as a pair — first how vulnerabilities are handled, then what it costs and why you see so many.

What the section says

  • Where reports come from — researchers across the industry report to the ASF's private security list, and the project also audits proactively: when one component is found to mishandle inbound message headers, the whole connector portfolio is swept for the same pattern rather than patching only the reported one. That is why advisories arrive in families.
  • Every reporter is credited by name in the advisory.
  • The work behind each one — triage against the Security Model, a fix with regression tests, a backport to every supported release line, a CVE assignment, and a written, signed advisory with the affected version ranges and an applicable workaround.
  • The timing — nothing is published until the fixes have shipped (coordinated disclosure).
  • Above and beyond — advisories are published even when a hardening change has no known exploit path, "because the alternative is asking you to trust a silence you cannot check."

Notes

  • No hardcoded advisory count. The copy deliberately uses durable framing ("a lot of", "in families") rather than a number, since any count drifts with every release. Verified: the new section contains no digits.
  • Reuses the existing security icon and the established box/shortcode structure; shortcode open/close balance verified (20/20).
  • Single file changed, additive only.

🤖 Generated with Claude Code

Recent releases have shipped a large batch of CVE advisories. Add a box to the Trust page that frames that volume as evidence of an active security effort rather than a failing framework, and explains the work and timing behind each advisory: triage against the Security Model, a fix with regression tests, a backport to every supported release line, a CVE assignment, and a signed advisory with affected ranges and a workaround, none of it public until the fixes have shipped. Also notes that advisories are published even for defensive hardening with no known exploit path, and that every reporter is credited by name. Deliberately uses durable framing with no hardcoded advisory count, since that number drifts with every release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd force-pushed the trust-proactive-security-section branch from 7d38416 to 7675a76 Compare July 13, 2026 12:23
@oscerd oscerd requested a review from davsclaus July 13, 2026 12:31
@oscerd oscerd merged commit e52b748 into apache:main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants