incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: [DISCUSS] Creation of ooo-security List
Date Wed, 06 Jul 2011 23:30:21 GMT
I thought the way security-related patches and releases are to be handled is spelled out clearly
enough in the two web pages I linked to.

I suppose we know that an ooo-security@i.a.o is working when security fixes show up.  There
is every reason to cloak such an operation in stealth and not announce anything about submissions
received, work in progress, etc., until a vulnerability is addressed in public.

I am raising my particular concerns with security@ and the apparent equivalent at The Document
Foundation.  Depending on what the gating rules are for submissions to those lists, I am not
sure when and what I might hear back.  

 - Dennis
  
-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net] 
Sent: Wednesday, July 06, 2011 15:52
To: ooo-dev@incubator.apache.org
Subject: Re: [DISCUSS] Creation of ooo-security List

Hi Dennis,

I appreciate your concerns. Have you raised them at security@apache.org yet?

If the security@apache.org list suggests that the AOOo PPMC request a security mailing list
now then we should go ahead. We would need the right volunteers to handle any concerns.

Perhaps it will turn out that there are some of individuals involved in all of AOOo, LibreOffice
and Security that can informally handle the multiple "hats". That might avoid a formal arrangement.
But maybe a formal agreement would be good.

I think that if we do have a security list that they will need to give nonspecific information
so that the community can sense that issues are being solved. We may very well need to eventually
have a security patch schedule that is not too frantic. (Firefox 5 or bust, corporations can
just have their IE)

Regards,
Dave

On Jul 6, 2011, at 3:35 PM, Dennis E. Hamilton wrote:

> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code
or in documents produced in current code, isn't that a concern for us now?  Why would it not
be?
> 
> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org
that once was).
> 
> I think of LibreOffice as a mutual stakeholder because it seems they have a security
team too and like it or not, they are cranking out releases very quickly and may be able to
provide mitigations, hypothetically, months before we ever get a release of ours out the door.
 
> 
> Also, some security issues may require a jointly-agreed response so that we attend to
interoperability concerns, especially if mitigation involves breaking changes or even introduction
of allowed extensions (in the context of the ODF specifications).  Anything that fits into
a discretionary area requiring producer-consumer agreement to work needs a community to unfold
it.
> 
> I don't know about the details of having that work.  I do know if I uncover a problem,
I am going to communicate it to every security-conscious entity I can.
> 
> To make this conversation concrete: I have security issues I want to raise, which is
what had me looking into this in the first place.  I would like to do this in a manner that
is in keeping with concerns for dealing with security matters privately to ensure that there
is competent review and no danger attached to premature disclosure.  (I suspect not, because
the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone
having more security experience than I before saying, "Heck, I need something for today's
blog post, why not stir things up with this?")
> 
> 
> - Dennis 
> 
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
> 
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <orcmid@apache.org> wrote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit
in so doing.  Here goes.]
>> 
>> PROPOSAL
>> 
>> ooo-security@incubator.a.o be set up as a private list and a selection of not more
than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition
would be.  The list will be automatically forward to security@a.o.  I assume that there might
be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>> 
>> DETAILS
>> 
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>> 
>> More details on the handling of security and vulnerabilities by committers and the
role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>> 
>> Note that creation of a security page on our web site is also part of this.  That
should happen near-immediately also.
>> 
> 
> The website already has a "Security" link on the navigation panel, at
> the bottom.  This takes you to the main Apache security page where the
> reporter is instructed on how to submit reports.  According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list.  So I don't see the urgency on creating a new
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo.  I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
> 
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a  good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies.  Or at least the chances of that would be diminished.  But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
> 
> 
>> BACKGROUND
>> 
>> I have been nosing around in document-related security areas and that has led me
to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities,
proposed mitigations, etc.
>> 
>> I've learned that the Apache approach is for each PMC taking the lead in handling
security matters related to its releases.  To maintain the security of security matters, the
practice is to have a private list (for us, ooo-security) with not more than ten security-aware
subscribers.
>> 
>> Since we may have "common-mode" issues with respect to the use of our common code
base and implementation behaviors, it may be necessary to coordinate with other teams, including
the LibreOffice security team, in our case.  We'll have to work that out on an individual-case
basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and
I don't know what the structure was for OpenOffice.org and who may have been involved.
>> 
> 
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
> 
>> - Dennis
>> 
>> 
> 


Mime
View raw message