Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E09889150 for ; Thu, 12 Apr 2012 21:20:35 +0000 (UTC) Received: (qmail 81736 invoked by uid 500); 12 Apr 2012 21:20:34 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 81531 invoked by uid 500); 12 Apr 2012 21:20:34 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 81523 invoked by uid 99); 12 Apr 2012 21:20:34 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Apr 2012 21:20:34 +0000 Received: from localhost (HELO mail-vb0-f47.google.com) (127.0.0.1) (smtp-auth username robweir, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Apr 2012 21:20:34 +0000 Received: by vbbfr13 with SMTP id fr13so1899104vbb.6 for ; Thu, 12 Apr 2012 14:20:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.156.72 with SMTP id v8mr2062715vcw.45.1334265633271; Thu, 12 Apr 2012 14:20:33 -0700 (PDT) Received: by 10.220.63.134 with HTTP; Thu, 12 Apr 2012 14:20:33 -0700 (PDT) In-Reply-To: References: <4F866B7D.7050301@rowe-clan.net> <00d201cd18c9$e7d2fdf0$b778f9d0$@acm.org> <015701cd18e6$ec90cdf0$c5b269d0$@acm.org> Date: Thu, 12 Apr 2012 17:20:33 -0400 Message-ID: Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir) From: Rob Weir To: general@incubator.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher wrote: > > On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: > >> Yes, this was already raised on the PPMC (on March 22) as you know. =C2= =A0It seems to me that the PPMC is not concerned. >> >> It is interesting that it is thought, here, that the remedy is to add mo= re ooo-security subscribers from the PPMC. =C2=A0That had not come up befor= e. > > Well I did raise it on ooo-private. My suggestion was to add someone who = understood Linux distributions to ooo-security ASAP. I got blowback. This = =C2=A0was unfortunate. Since then we've had discussions about culture, poli= teness and apologies. There was some discussion about OpenOffice and Linux = distro on ooo-dev, but more in context of the AOO release plans. > > My frustration about not being informed was that no one gave even the sli= ghtest notice OFFLIST that there was a reason that certain people were aski= ng the project questions and that things were not as I thought and I should= move on and let the world revolve. This is particularly true since I respo= nding with what I had every reason to believe was the project policy. > > Emotions pass. What's the root cause? It's a communication problem, why w= as communication blocked? > > If there are individuals on a PPMC that the podling security team and Men= tors feel are not trustworthy enough that it is decided to forgo the minima= l courtesy of keeping the PPMC informed to manage the process as Dennis des= cribed then perhaps the problem is with the PPMC membership itself. > > Normally a podling will set the PMC as part the graduation resolution. Pe= rhaps the AOO PPMC membership needs to be revised sooner. Any advice? > So step back, to when the podling received notice of our first security report. The Apache Security Team would not give it to the PPMC, not even on ooo-private. The issue was not the size of the PPMC per se, or even its status as a podling. The issue was the way in which the "initial committers" were selected, that anyone could just walk in "off the street" in essence, put their name down and be an instant PPMC number. Needless to say, a group of nearly 100 initial committers formed that way is not the best way to have a secure discussion. So the request, at that time, was to make a smaller list --- ooo-security -- and to share such sensitive information only on that list. Of course, Mentors and other Apache Members can view that list, as can Apache Security Team members. I have no doubts that as a TLP the AOO PMC will shed 30%+ of the current membership. That would take care of the names of people who signed up, returned the ICLA but then have not been heard of since. I think we can reach the point where matters of some sensitivity can be shared more broadly on ooo-private. But you also need to understand that this is not only about trust. It is about security. If if I personally trusted you like a brother, and trusted every PPMC member like a brother (or sister) it would not make sense to share all security information with a list of 90 trusted siblings.. Why? Because of human error. Because of stolen iPhones. Because of accidentally forwarded emails. Because of accidentally typed recipients. Because of 4am's and because shit happens. It will never make sense to share such sensitive information more broadly than needed to deal with the actual security issue. This is not about trust. It is about compartmentalization, In other words, the security list is about security. -Rob > Regards, > Dave > > >> >> - Dennis >> >> -----Original Message----- >> From: Ross Gardler [mailto:rgardler@opendirective.com] >> Sent: Thursday, April 12, 2012 12:41 >> To: general@incubator.apache.org; dennis.hamilton@acm.org >> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wi= ki] Update of "April2012" by robweir) >> >> On 12 April 2012 17:32, Dennis E. Hamilton wro= te: >>> I don't think the problem is with the size of the ooo-security list mem= bership. =C2=A0I think it is in the assumption that the [P]PMC has somehow = delegated the ability to make a release of any kind to the ooo-security tea= m. =C2=A0I don't mean slip-streaming fixes and working off the public SVN u= ntil that happens. =C2=A0I mean developing and deploying all the rest of wh= at accompanies an advisory along with provision of a mitigation. >>> >> >> Whether this is the case or not should be discussed on the ooo-dev >> lists rather than the IPMC general list. This is not an IPMC issue. >> All IPMC members are free to join that list or read its archives if >> they so desire. >> >> Ross >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org >> For additional commands, e-mail: general-help@incubator.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org >> For additional commands, e-mail: general-help@incubator.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org