incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject RE: Population of ooo-security
Date Thu, 28 Jul 2011 20:04:46 GMT
I support Malte's recommendation to add two individuals that are currently in-common with respect
to OpenOffice.org (traditional) and LibreOffice.

 - Dennis

MORE THOUGHTS

Of the three of us moderating the ooo-security list, I believe only one of us has experience
in these matters, and that is Malte.  Malte who recommends accepting two subscribers who are
also on the OOo-security list and the LibreOffice security list.  One of them (Caolan) is
known to me already.

Also, when we were advised (twice) by security to do this, it was recommended that we find
a way to cross-couple.

I think it is important to establish this coverage in advance of a problem, since rapid, mutual
assessment can be critical in the case of a critical exploit (and I have none in mind).

Finally, we at Apache Oo.o are not the nexus here.  At the moment we don't have a distro,
we don't even have an issues mechanism, let alone a way to accept a patch.  The odds are that
anything in the current base is going to be acted on most adroitly by LibreOffice first, others
if impacted, and then ourselves when we are in a position to issue remediated code.  

I for one would also welcome participation by security experts from other sources, including
experts from IBM and Microsoft too.

With regard to iCLAs, I don't think that is critical with regard to assessment and even discussion
of remedies.  It only matters when patches are prepared and it seems reasonable for that to
be done by our own PPMC for our code base (when we have one).  It might not serve other distros
and implementations to rely on our patch, but in any case it is also appropriate to coordinate
disclosure and remedy and not presume that everyone is downstream from us.


-----Original Message-----
From: Rob Weir [mailto:apache@robweir.com] 
Sent: Wednesday, July 27, 2011 19:09
To: ooo-dev@incubator.apache.org
Subject: Re: Population of ooo-security

On Wed, Jul 27, 2011 at 9:23 PM, Dennis E. Hamilton <orcmid@apache.org> wrote:
> Now that we've confirmed that the ooo-security list exists and the three moderators appear
to be subscribers, I believe the next action is to subscribe the existing OO.o/LibreOffice
security folk, per
>
> <http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201107.mbox/%3c4E1AF3D6.8030709@oracle.com%3e>
>

-1.  This is the project's private security list, with only a subset
of the PPMC on it.  We should not have 3rd parties signed up on it.

Observe the process here:

http://www.apache.org/security/committers.html

"Information may be shared with domain experts (eg colleagues at your
employer) at the discretion of the project's security team providing
that it is made clear that the information is not for public
disclosure and that security@apache.org or the project's security
mailing list must be copied on any communication regarding the
vulnerability."

So there is a distinction here between the "project's security team"
and "domain experts".  I'd like to see the ooo-security list be the
former, and have us bring in the later when necessary for a particular
issue.

I think it would be a great idea to track, in a text file in the
PPMC's private directory, a list of 3rd party experts who could be
consulted for particular kinds of issues.   But if and when to bring
in those 3rd parties should be decided on a case by case basis.

> There was also a notion of cross-subscribing some lists, but that would probably be after
that.
>

We could put those addresses into the private text file as well, but
I'd rather trust an person's email address than to trust an opaque
list.

-Rob

>  - Dennis
>
> -----Original Message-----
> From: Rob Weir [mailto:apache@robweir.com]
> Sent: Tuesday, July 26, 2011 13:33
> To: ooo-security@incubator.apache.org
> Subject: Testing
>
> This is a test, to see if the list has been set up properly.
>
> -Rob
>
>


Mime
View raw message