pgsty
diff --git a/‎README.md‎
Lines changed: 1 addition & 2 deletions b/‎README.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 10 additions & 32 deletions b/‎SECURITY.md‎
Lines changed: 10 additions & 32 deletions
diff --git a/‎VULNERABILITY_REPORT.md‎
Lines changed: 19 additions & 20 deletions b/‎VULNERABILITY_REPORT.md‎
Lines changed: 19 additions & 20 deletions
diff --git a/‎docs/bigdata/README.md‎
Lines changed: 12 additions & 12 deletions b/‎docs/bigdata/README.md‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎docs/bucket/lifecycle/DESIGN.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/bucket/lifecycle/DESIGN.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/bucket/quota/README.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/bucket/quota/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/bucket/replication/DESIGN.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/bucket/replication/DESIGN.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/bucket/replication/README.md‎
Lines changed: 6 additions & 6 deletions b/‎docs/bucket/replication/README.md‎
Lines changed: 6 additions & 6 deletions
@@ -8,7 +8,7 @@
 [![Docker Image](https://img.shields.io/badge/Docker-pgsty/minio-%232496ED?style=flat&logo=docker&logoColor=white)](https://hub.docker.com/r/pgsty/minio)
 
 > [!IMPORTANT]
-> **This is a community-maintained fork of [minio/minio](https://github.com/minio/minio), maintained by [Pigsty](https://pigsty.io).**
+> **This is a community-maintained fork of the upstream MinIO project, maintained by [Pigsty](https://pigsty.io).**
 > This project is **NOT** affiliated with, endorsed by, or sponsored by MinIO, Inc.
 > "MinIO" is a trademark of MinIO, Inc., used here solely to identify the upstream project.
 >
@@ -29,4 +29,3 @@ Console: [`georgmangold/console`](https://github.com/georgmangold/console/), a c
 Ansible Deployment: [https://pigsty.io/docs/minio](https://pigsty.io/docs/minio)
 
 APT/YUM repo for `minio` and `mcli` binary: [https://pigsty.io/docs/infra](https://pigsty.io/docs/repo/infra/list/#object-storage)
-
@@ -1,42 +1,20 @@
 # Security Policy
 
+This repository is the `pgsty/minio` community fork of `minio/minio`. Upstream MinIO security contacts do not handle fork-specific fixes or release notes for this repository.
+
 ## Supported Versions
 
-We always provide security updates for the [latest release](https://github.com/minio/minio/releases/latest).
-Whenever there is a security update you just need to upgrade to the latest version.
+Security fixes are tracked on the active `master` branch and summarized in [docs/security/advisories.md](docs/security/advisories.md).
 
 ## Reporting a Vulnerability
 
-All security bugs in [minio/minio](https://github,com/minio/minio) (or other minio/* repositories)
-should be reported by email to security@min.io. Your email will be acknowledged within 48 hours,
-and you'll receive a more detailed response to your email within 72 hours indicating the next steps
-in handling your report.
-
-Please, provide a detailed explanation of the issue. In particular, outline the type of the security
-issue (DoS, authentication bypass, information disclose, ...) and the assumptions you're making (e.g. do
-you need access credentials for a successful exploit).
-
-If you have not received a reply to your email within 48 hours or you have not heard from the security team
-for the past five days please contact the security team directly:
-
-- Primary security coordinator: aead@min.io
-- Secondary coordinator: harsha@min.io
-- If you receive no response: dev@min.io
-
-### Disclosure Process
+For vulnerabilities in this fork:
 
-MinIO uses the following disclosure process:
+1. Follow the fork-specific expectations in [VULNERABILITY_REPORT.md](VULNERABILITY_REPORT.md).
+2. Prefer the `pgsty/minio` repository's GitHub security reporting workflow when it is available.
+3. If private reporting is not available, contact the maintainers through the `pgsty/minio` repository before publishing detailed exploit information.
+4. If you confirm the issue also affects upstream `minio/minio`, report it upstream separately.
 
-1. Once the security report is received one member of the security team tries to verify and reproduce
-   the issue and determines the impact it has.
-2. A member of the security team will respond and either confirm or reject the security report.
-   If the report is rejected the response explains why.
-3. Code is audited to find any potential similar problems.
-4. Fixes are prepared for the latest release.
-5. On the date that the fixes are applied a security advisory will be published on <https://blog.min.io>.
-   Please inform us in your report email whether MinIO should mention your contribution w.r.t. fixing
-   the security issue. By default MinIO will **not** publish this information to protect your privacy.
+## Disclosure Process
 
-This process can take some time, especially when coordination is required with maintainers of other projects.
-Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we
-follow the process described above to ensure that disclosures are handled consistently.
+Fork-specific fixes and user-visible upgrade notes are published in [docs/security/advisories.md](docs/security/advisories.md). The fork-specific triage and remediation process is described in [VULNERABILITY_REPORT.md](VULNERABILITY_REPORT.md).
@@ -1,38 +1,37 @@
 # Vulnerability Management Policy
 
-This document formally describes the process of addressing and managing a
-reported vulnerability that has been found in the MinIO server code base,
-any directly connected ecosystem component or a direct / indirect dependency
-of the code base.
+This document describes how the `pgsty/minio` maintainers investigate,
+assess, and remediate reported vulnerabilities affecting this fork, any
+directly shipped component, or a direct / indirect dependency used by this
+repository.
 
 ## Scope
 
-The vulnerability management policy described in this document covers the
-process of investigating, assessing and resolving a vulnerability report
-opened by a MinIO employee or an external third party.
+This policy covers vulnerability reports opened by repository maintainers or
+external third parties against `pgsty/minio` itself, its release artifacts, or
+dependencies that materially affect this fork.
 
-Therefore, it lists pre-conditions and actions that should be performed to
-resolve and fix a reported vulnerability.
+It defines the information needed for triage and the expected remediation
+workflow for supported fixes.
 
 ## Vulnerability Management Process
 
-The vulnerability management process requires that the vulnerability report
-contains the following information:
+A useful vulnerability report should contain the following information:
 
 - The project / component that contains the reported vulnerability.
 - A description of the vulnerability. In particular, the type of the
-   reported vulnerability and how it might be exploited. Alternatively,
-   a well-established vulnerability identifier, e.g. CVE number, can be
-   used instead.
+  reported vulnerability and how it might be exploited. Alternatively,
+  a well-established vulnerability identifier, such as a CVE or GHSA ID, can
+  be used instead.
 
-Based on the description mentioned above, a MinIO engineer or security team
-member investigates:
+Based on the report, the `pgsty/minio` maintainers investigate:
 
 - Whether the reported vulnerability exists.
 - The conditions that are required such that the vulnerability can be exploited.
+- Which releases, branches, or deployment paths are affected.
 - The steps required to fix the vulnerability.
 
-In general, if the vulnerability exists in one of the MinIO code bases
-itself - not in a code dependency - then MinIO will, if possible, fix
-the vulnerability or implement reasonable countermeasures such that the
-vulnerability cannot be exploited anymore.
+If the vulnerability exists in this fork itself, the maintainers will, when
+feasible, fix the issue or implement reasonable countermeasures such that the
+vulnerability can no longer be exploited. Fork-specific upgrade notes and
+security advisories are published in `docs/security/advisories.md`.
@@ -2,7 +2,7 @@
 
 ## **1. Cloud-native Architecture**
 
-![cloud-native](https://github.com/minio/minio/blob/master/docs/bigdata/images/image1.png?raw=true "cloud native architecture")
+![cloud-native](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image1.png?raw=true "cloud native architecture")
 
 Kubernetes manages stateless Spark and Hive containers elastically on the compute nodes. Spark has native scheduler integration with Kubernetes. Hive, for legacy reasons, uses YARN scheduler on top of Kubernetes.
 
@@ -23,17 +23,17 @@ MinIO also supports multi-cluster, multi-site federation similar to AWS regions
 
 After successful installation navigate to the Ambari UI `http://<ambari-server>:8080/` and login using the default credentials: [**_username: admin, password: admin_**]
 
-![ambari-login](https://github.com/minio/minio/blob/master/docs/bigdata/images/image3.png?raw=true "ambari login")
+![ambari-login](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image3.png?raw=true "ambari login")
 
 ### **3.1 Configure Hadoop**
 
 Navigate to **Services** -> **HDFS** -> **CONFIGS** -> **ADVANCED** as shown below
 
-![hdfs-configs](https://github.com/minio/minio/blob/master/docs/bigdata/images/image2.png?raw=true "hdfs advanced configs")
+![hdfs-configs](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image2.png?raw=true "hdfs advanced configs")
 
 Navigate to **Custom core-site** to configure MinIO parameters for `_s3a_` connector
 
-![s3a-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image5.png?raw=true "custom core-site")
+![s3a-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image5.png?raw=true "custom core-site")
 
 ```
 sudo pip install yq
@@ -100,17 +100,17 @@ The rest of the other optimization options are discussed in the links below
 
 Once the config changes are applied, proceed to restart **Hadoop** services.
 
-![hdfs-services](https://github.com/minio/minio/blob/master/docs/bigdata/images/image7.png?raw=true "hdfs restart services")
+![hdfs-services](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image7.png?raw=true "hdfs restart services")
 
 ### **3.2 Configure Spark2**
 
 Navigate to **Services** -> **Spark2** -> **CONFIGS** as shown below
 
-![spark-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image6.png?raw=true "spark config")
+![spark-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image6.png?raw=true "spark config")
 
 Navigate to “**Custom spark-defaults**” to configure MinIO parameters for `_s3a_` connector
 
-![spark-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image9.png?raw=true "spark defaults")
+![spark-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image9.png?raw=true "spark defaults")
 
 Add the following optimal entries for _spark-defaults.conf_ to configure Spark with **MinIO**.
 
@@ -146,17 +146,17 @@ spark.hadoop.fs.s3a.threads.max 2048 # maximum number of threads for S3A
 
 Once the config changes are applied, proceed to restart **Spark** services.
 
-![spark-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image12.png?raw=true "spark restart services")
+![spark-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image12.png?raw=true "spark restart services")
 
 ### **3.3 Configure Hive**
 
 Navigate to **Services** -> **Hive** -> **CONFIGS**-> **ADVANCED** as shown below
 
-![hive-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image10.png?raw=true "hive advanced config")
+![hive-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image10.png?raw=true "hive advanced config")
 
 Navigate to “**Custom hive-site**” to configure MinIO parameters for `_s3a_` connector
 
-![hive-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image11.png?raw=true "hive advanced config")
+![hive-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image11.png?raw=true "hive advanced config")
 
 Add the following optimal entries for `hive-site.xml` to configure Hive with **MinIO**.
 
@@ -171,11 +171,11 @@ mapreduce.input.fileinputformat.list-status.num-threads=50
 
 For more information about these options please visit [https://www.cloudera.com/documentation/enterprise/5-11-x/topics/admin_hive_on_s3_tuning.html](https://www.cloudera.com/documentation/enterprise/5-11-x/topics/admin_hive_on_s3_tuning.html)
 
-![hive-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image13.png?raw=true "hive advanced custom config")
+![hive-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image13.png?raw=true "hive advanced custom config")
 
 Once the config changes are applied, proceed to restart all Hive services.
 
-![hive-config](https://github.com/minio/minio/blob/master/docs/bigdata/images/image14.png?raw=true "restart hive services")
+![hive-config](https://github.com/pgsty/minio/blob/master/docs/bigdata/images/image14.png?raw=true "restart hive services")
 
 ## **4. Run Sample Applications**
 
 
@@ -1,6 +1,6 @@
 # ILM Tiering Design [![slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![Docker Pulls](https://img.shields.io/docker/pulls/minio/minio.svg?maxAge=604800)](https://hub.docker.com/r/minio/minio/)
 
-Lifecycle transition functionality provided in [bucket lifecycle guide](https://github.com/minio/minio/master/docs/bucket/lifecycle/README.md) allows tiering of content from MinIO object store to public clouds or other MinIO clusters.
+Lifecycle transition functionality provided in [bucket lifecycle guide](https://github.com/pgsty/minio/blob/master/docs/bucket/lifecycle/README.md) allows tiering of content from MinIO object store to public clouds or other MinIO clusters.
 
 Transition tiers can be added to MinIO using `mc admin tier add` command to associate a `gcs`, `s3` or `azure` bucket or prefix path on a bucket to the tier name.
 Lifecycle transition rules can be applied to buckets (both versioned and un-versioned) by specifying the tier name defined above as the transition storage class for the lifecycle rule.
 
@@ -1,6 +1,6 @@
 # Bucket Quota Configuration Quickstart Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![Docker Pulls](https://img.shields.io/docker/pulls/minio/minio.svg?maxAge=604800)](https://hub.docker.com/r/minio/minio/)
 
-![quota](https://raw.githubusercontent.com/minio/minio/master/docs/bucket/quota/bucketquota.png)
+![quota](https://raw.githubusercontent.com/pgsty/minio/master/docs/bucket/quota/bucketquota.png)
 
 Buckets can be configured to have `Hard` quota - it disallows writes to the bucket after configured quota limit is reached.
 
 
@@ -1,6 +1,6 @@
 # Bucket Replication Design [![slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![Docker Pulls](https://img.shields.io/docker/pulls/minio/minio.svg?maxAge=604800)](https://hub.docker.com/r/minio/minio/)
 
-This document explains the design approach of server side bucket replication. If you're looking to get started with replication, we suggest you go through the [Bucket replication guide](https://github.com/minio/minio/blob/master/docs/bucket/replication/README.md) first.
+This document explains the design approach of server side bucket replication. If you're looking to get started with replication, we suggest you go through the [Bucket replication guide](https://github.com/pgsty/minio/blob/master/docs/bucket/replication/README.md) first.
 
 ## Overview
 
@@ -59,7 +59,7 @@ If 3 or more targets are participating in active-active replication, the replica
 
 ### Internal metadata for replication
 
-`xl.meta` that is in use for [versioning](https://github.com/minio/minio/blob/master/docs/bucket/versioning/DESIGN.md) has additional metadata for replication of objects,delete markers and versioned deletes.
+`xl.meta` that is in use for [versioning](https://github.com/pgsty/minio/blob/master/docs/bucket/versioning/DESIGN.md) has additional metadata for replication of objects,delete markers and versioned deletes.
 
 ### Metadata for object replication - on source
 
 
@@ -94,7 +94,7 @@ The access key provided for the replication *target* cluster should have these m
 }
 ```
 
-Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like "s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup_replication.sh)
+Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like "s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/pgsty/minio/blob/master/docs/bucket/replication/setup_replication.sh)
 
 To set up replication from a source bucket `srcbucket` on myminio cluster to a bucket `destbucket` on the target minio cluster with endpoint https://replica-endpoint:9000, use:
 ```
@@ -161,9 +161,9 @@ Replication status can be seen in the metadata on the source and destination obj
 
 To perform bi-directional replication, repeat the above process on the target site - this time setting the source bucket as the replication target. It is recommended that replication be run in a system with at least two CPU's available to the process, so that replication can run in its own thread.
 
-![put](https://raw.githubusercontent.com/minio/minio/master/docs/bucket/replication/PUT_bucket_replication.png)
+![put](https://raw.githubusercontent.com/pgsty/minio/master/docs/bucket/replication/PUT_bucket_replication.png)
 
-![head](https://raw.githubusercontent.com/minio/minio/master/docs/bucket/replication/HEAD_bucket_replication.png)
+![head](https://raw.githubusercontent.com/pgsty/minio/master/docs/bucket/replication/HEAD_bucket_replication.png)
 
 ## Replica Modification sync
 
@@ -210,11 +210,11 @@ Also note that `mc` version `RELEASE.2021-09-02T09-21-27Z` or older supports onl
 
 Status of delete marker replication can be viewed by doing a GET/HEAD on the object version - it will return a `X-Minio-Replication-DeleteMarker-Status` header and http response code of `405`. In the case of permanent deletes, if the delete replication is pending or failed to propagate to the target cluster, GET/HEAD will return additional `X-Minio-Replication-Delete-Status` header and a http response code of `405`.
 
-![delete](https://raw.githubusercontent.com/minio/minio/master/docs/bucket/replication/DELETE_bucket_replication.png)
+![delete](https://raw.githubusercontent.com/pgsty/minio/master/docs/bucket/replication/DELETE_bucket_replication.png)
 
 The status of replication can be monitored by configuring event notifications on the source and target buckets using `mc event add`.On the source side, the `s3:PutObject`, `s3:Replication:OperationCompletedReplication` and `s3:Replication:OperationFailedReplication` events show the status of replication in the `X-Amz-Replication-Status` metadata.
 
-On the target bucket, `s3:PutObject` event shows `X-Amz-Replication-Status` status of `REPLICA` in the metadata. Additional metrics to monitor backlog state for the purpose of bandwidth management and resource allocation are exposed via Prometheus - see <https://github.com/minio/minio/blob/master/docs/metrics/prometheus/list.md> for more details.
+On the target bucket, `s3:PutObject` event shows `X-Amz-Replication-Status` status of `REPLICA` in the metadata. Additional metrics to monitor backlog state for the purpose of bandwidth management and resource allocation are exposed via Prometheus - see <https://github.com/pgsty/minio/blob/master/docs/metrics/prometheus/list.md> for more details.
 
 ### Sync/Async Replication
 
@@ -276,6 +276,6 @@ MinIO does not support SSE-C encrypted objects on replicated buckets, any applic
 
 ## Explore Further
 
-- [MinIO Bucket Replication Design](https://github.com/minio/minio/blob/master/docs/bucket/replication/DESIGN.md)
+- [MinIO Bucket Replication Design](https://github.com/pgsty/minio/blob/master/docs/bucket/replication/DESIGN.md)
 - [MinIO Bucket Versioning Implementation](https://docs.min.io/community/minio-object-store/administration/object-management/object-retention.html)
 - [MinIO Client Quickstart Guide](https://docs.min.io/community/minio-object-store/reference/minio-mc.html#quickstart)