incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject [DISCUSS] Creation of ooo-security List
Date Wed, 06 Jul 2011 19:02:31 GMT
[I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in
so doing.  Here goes.]

PROPOSAL

ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10
security-aware PPMC members be subscribed to it.  We need to work out what the composition
would be.  The list will be automatically forward to security@a.o.  I assume that there might
be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.

DETAILS

General information about the Apache Security Team:
<http://www.apache.org/security/>

More details on the handling of security and vulnerabilities by committers and the role of
the [P]PMC:
<http://www.apache.org/security/committers.html>

Note that creation of a security page on our web site is also part of this.  That should happen
near-immediately also.

BACKGROUND  

I have been nosing around in document-related security areas and that has led me to inquire
what the arrangements need to be for discussing security issues, identified vulnerabilities,
proposed mitigations, etc.

I've learned that the Apache approach is for each PMC taking the lead in handling security
matters related to its releases.  To maintain the security of security matters, the practice
is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.

Since we may have "common-mode" issues with respect to the use of our common code base and
implementation behaviors, it may be necessary to coordinate with other teams, including the
LibreOffice security team, in our case.  We'll have to work that out on an individual-case
basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and
I don't know what the structure was for OpenOffice.org and who may have been involved.

 - Dennis


Mime
View raw message