incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 16:32:50 GMT
I don't think the problem is with the size of the ooo-security list membership.  I think it
is in the assumption that the [P]PMC has somehow delegated the ability to make a release of
any kind to the ooo-security team.  I don't mean slip-streaming fixes and working off the
public SVN until that happens.  I mean developing and deploying all the rest of what accompanies
an advisory along with provision of a mitigation.

The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that
accompanied it.  I assume that ooo-security acquitted itself well in that regard as well as
with the coordination with other parties, including ones external to Apache, having common
concerns.  The breakdown was in all of the non-security considerations and assumptions, even
though they needed to be developed in confidence.  The PPMC would have provided a proper arena
for working that out.

The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination
and form of patch releases/updates.  Those with valuable perspective on the deployment strategy
and its support might have no sense of the technical work that ooo-security members undertake.

There was nothing about this particular vulnerability that made it dangerous for the PPMC
to know about it and the approach being taken to release an ASF-appropriate patch.  The exploit
is by crafting an ODF 1.2 document and all unpatched OO.o 3.x (and LibreOffice 3.x) installations
remain vulnerable.  I think it is safe to presume that there are, at this moment, significantly
more unpatched installations than patched ones and I see that as a greater concern, if there
is any, than consultation and review by the PPMC before the public advisory and patch release.
 A significant number of people external to the PPMC, including non-experts and those who
may see themselves as competitors, knew about this prior to the announcement and there does
not appear to have been any damage.  

 - Dennis

PS: I followed the public back-and-forth about the operation of security lists and venues
for security coordination that Dave Fisher feels embarrassed about.  I don't think it matters.
 Whether there was a way for the Apache OpenOffice project to issue repairs to OpenOffice.org
distributions, or not, did not seem to be a significant feature of the dispute as I followed
it.  Indeed, knowledge of the possibility of an ASF patch was not a fact that could be used
as a counter-point.  Announcement of the particular vulnerability that was going to be dealt
with by ASF in that manner was still under embargo.  
   It remains a valid point that those who can't wait for a stable Apache OpenOffice release
to satisfy their security concerns, especially on Linux where there is still no Apache patch,
might want to look to other distributions whose current releases have that and other vulnerabilities
repaired.  It all depends.

-----Original Message-----
From: ant elder [mailto:ant.elder@gmail.com] 
Sent: Thursday, April 12, 2012 02:04
To: general@incubator.apache.org
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012"
by robweir)

On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler
<rgardler@opendirective.com> wrote:
> On 12 April 2012 09:27, Ross Gardler <rgardler@opendirective.com> wrote:
>> On 12 April 2012 08:59, ant elder <ant.elder@gmail.com> wrote:
>>> On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
>>> <rgardler@opendirective.com> wrote:
>>>> On 12 April 2012 07:48, Dave Fisher <dave2wave@comcast.net> wrote:
[ ... ]
>>>>> Sorry, I can't remain mute, but I offended anyone, sorry, but this was
wrongly done. I don't know a better way....
[ ... ]
>>> Surely at the ASF the line is at PMC membership. If only a subset of
>>> the PPMC is trusted enough to be part of some inner circle then the
>>> PPMC should be disbanded and reformed from just that inner circle.
>>
>> This is a podling with a very unusual history. it is not as simple as
>> that. However, your general observation is a valid one. The time for
>> addressing this is during incubation when it becomes possible to
>> determine who is contributing positively to the running of the PPMC.
>
> I should also point out that the perception that information was kept
> to a limited group implies mistrust of PPMC members is *false*. The
> PPMC have an appointed security team just as many top level PMCs do
> that team is tasked with handling security issues and it did so in
> this case.
>
> As has been noted, this was *not* an ASF release, only one
> *facilitated* by the ASF in the interests of supporting legacy users
> of a project that has come to incubation. It is a very unusual
> situation to which normal ASF policy does not apply. Handling it
> outside normal ASF processes does not imply a problem with those
> processes or the PPMC.
>
> Ross
>

Ross, I'm not trying to stick an oar in or anything and i don't know
the details of what was done other than whats in this thread here, it
just seems odd to me and it seems like there is some acknowledgement
that this wasn't done perfectly so we the Incubator PMC should
understand what happened. Sure there are other security teams but
AFAIK they operate in conjunction with PMCs and keep PMCs in the loop
that something is going on just withholding precise details of the
vulnerability.

   ...ant

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message