Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of dave2wave@comcast.net
 designates 76.96.27.228 as permitted sender)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki]
 Update of "April2012" by robweir)
From: Dave Fisher <dave2wave@comcast.net>
In-Reply-To: 
 <CAP-ksoiBoF1VqsvihpuY5eQgHQB55fEnr_7vNZ_M-Drp1f1u6w@mail.gmail.com>
Date: Thu, 12 Apr 2012 14:58:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4670692A-029E-417D-A10F-1F1F35C8137F@comcast.net>
References: 
 <CAOFYJNb7NsegxPoWCvp8p2SnmAPrw15jk0aNxmmgt7rhNq+9RA@mail.gmail.com>
 <4F866B7D.7050301@rowe-clan.net>
 <AD1F4C16-EBE4-487F-B2EF-2A7E44F32DDE@comcast.net>
 <CAKQbXgDn5dqK=t2oNoF2YCCG8ZpzBaYiZBE+K-mW4rxygqOtRg@mail.gmail.com>
 <CAJO+UbuUokbvbEpiY+yd7no23DnnPMVEyZ_faPhDm3yB=kAEmw@mail.gmail.com>
 <CAKQbXgBQbrJYBdf6UM9QfXf4dCZuUj21L5mjNMATgzt5+DPKWQ@mail.gmail.com>
 <CAKQbXgDOom6y929TZRyjtQzHNrF0Z+aFO=0k1AHpnP3yWPOV=A@mail.gmail.com>
 <CAJO+UbsBcBQg_NstOXXmv332teqFN4D_YRQ+yy8qh9QQuxj9Lg@mail.gmail.com>
 <00d201cd18c9$e7d2fdf0$b778f9d0$@acm.org>
 <CAKQbXgCDSw3+CgfJrm7446+Y4Er9CDksud87U-q-vNyeO90yGQ@mail.gmail.com>
 <015701cd18e6$ec90cdf0$c5b269d0$@acm.org>
 <CB51D225-6752-42C6-B441-17F340EB12CA@comcast.net>
 <CAP-ksoiBoF1VqsvihpuY5eQgHQB55fEnr_7vNZ_M-Drp1f1u6w@mail.gmail.com>
To: general@incubator.apache.org


On Apr 12, 2012, at 2:20 PM, Rob Weir wrote:

> On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher <dave2wave@comcast.net> =
wrote:
>>=20
>> On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:
>>=20
>>> Yes, this was already raised on the PPMC (on March 22) as you know.  =
It seems to me that the PPMC is not concerned.
>>>=20
>>> It is interesting that it is thought, here, that the remedy is to =
add more ooo-security subscribers from the PPMC.  That had not come up =
before.
>>=20
>> Well I did raise it on ooo-private. My suggestion was to add someone =
who understood Linux distributions to ooo-security ASAP. I got blowback. =
This  was unfortunate. Since then we've had discussions about culture, =
politeness and apologies. There was some discussion about OpenOffice and =
Linux distro on ooo-dev, but more in context of the AOO release plans.
>>=20
>> My frustration about not being informed was that no one gave even the =
slightest notice OFFLIST that there was a reason that certain people =
were asking the project questions and that things were not as I thought =
and I should move on and let the world revolve. This is particularly =
true since I responding with what I had every reason to believe was the =
project policy.
>>=20
>> Emotions pass. What's the root cause? It's a communication problem, =
why was communication blocked?
>>=20
>> If there are individuals on a PPMC that the podling security team and =
Mentors feel are not trustworthy enough that it is decided to forgo the =
minimal courtesy of keeping the PPMC informed to manage the process as =
Dennis described then perhaps the problem is with the PPMC membership =
itself.
>>=20
>> Normally a podling will set the PMC as part the graduation =
resolution. Perhaps the AOO PPMC membership needs to be revised sooner. =
Any advice?
>>=20
>=20
> So step back, to when the podling received notice of our first
> security report.  The Apache Security Team would not give it to the
> PPMC, not even on ooo-private.  The issue was not the size of the PPMC
> per se, or even its status as a podling.  The issue was the way in
> which the "initial committers" were selected, that anyone could just
> walk in "off the street" in essence, put their name down and be an
> instant PPMC number.  Needless to say, a group of nearly 100 initial
> committers formed that way is not the best way to have a secure
> discussion.
>=20
> So the request, at that time, was to make a smaller list ---
> ooo-security -- and to share such sensitive information only on that
> list.  Of course, Mentors and other Apache Members can view that list,
> as can Apache Security Team members.
>=20
>=20
> I have no doubts that as a TLP the AOO PMC will shed 30%+ of the
> current membership.  That would take care of the names of people who
> signed up, returned the ICLA but then have not been heard of since.  I
> think we can reach the point where matters of some sensitivity can be
> shared more broadly on ooo-private.
>=20
> But you also need to understand that this is not only about trust.  It
> is about security.  If if I personally trusted you like a brother, and
> trusted every PPMC member like a brother (or sister) it would not make
> sense to share all security information with a list of 90 trusted
> siblings..  Why?  Because of human error.  Because of stolen iPhones.
> Because of accidentally forwarded emails.  Because  of accidentally
> typed recipients.    Because of 4am's and because shit happens.  It
> will never make sense to share such sensitive information more broadly
> than needed to deal with the actual security issue.  This is not about
> trust.  It is about compartmentalization,  In other words, the
> security list is about security.

I do understand that security is special. You miss my point.  I'm not =
talking about the actual security issue detail. Just that a security =
announcement, release, whatever is about to happen. As a PPMC member I =
should be able to ask questions in advance about how it is being =
handled. If nothing to help make sure that there is some form of =
oversight.

I am also talking about more subtly informing someone without disclosing =
any real information. As you said security@ did inform us that there was =
an issue, but not the details.

Regards,
Dave


>=20
> -Rob
>=20
>> Regards,
>> Dave
>>=20
>>=20
>>>=20
>>> - Dennis
>>>=20
>>> -----Original Message-----
>>> From: Ross Gardler [mailto:rgardler@opendirective.com]
>>> Sent: Thursday, April 12, 2012 12:41
>>> To: general@incubator.apache.org; dennis.hamilton@acm.org
>>> Subject: Re: Extraordinary OpenOffice security patch (Was: =
[Incubator Wiki] Update of "April2012" by robweir)
>>>=20
>>> On 12 April 2012 17:32, Dennis E. Hamilton <dennis.hamilton@acm.org> =
wrote:
>>>> I don't think the problem is with the size of the ooo-security list =
membership.  I think it is in the assumption that the [P]PMC has somehow =
delegated the ability to make a release of any kind to the ooo-security =
team.  I don't mean slip-streaming fixes and working off the public SVN =
until that happens.  I mean developing and deploying all the rest of =
what accompanies an advisory along with provision of a mitigation.
>>>>=20
>>>=20
>>> Whether this is the case or not should be discussed on the ooo-dev
>>> lists rather than the IPMC general list. This is not an IPMC issue.
>>> All IPMC members are free to join that list or read its archives if
>>> they so desire.
>>>=20
>>> Ross
>>>=20
>>> =
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>=20
>>>=20
>>> =
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>=20
>>=20
>>=20
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>=20


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org