incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Population of ooo-security
Date Thu, 28 Jul 2011 22:43:37 GMT
Florian, we are all learning over here.

There are practices that the ASF has around security and how reports to security are handled
and the Apache ooo PPMC is working to comprehend how to do this properly.  We're still working
out how this is all meant to work and how we deal with the fact that there is a broader common
interest than what the Apache incubator might be the source of.

We set up the ooo-security@incubator.apache.org on the serious urging of the ASF security
team.

At the moment, the three moderators (required to provide mailing list coverage) of this moderated
and private list (no public archive or subscriptions) are myself, Rob Weir, and Malte Timmermann.
 As the self-selected moderators, we became the initial subscribers.

The other advice was to include others who are already working on security lists for, e.g.,
OpenOffice.org (traditional) and LibreOffice.

I, for one, want more engagement of experienced security minders around ODF and its implementing
consumers and producers.  Although I pay attention to security-related matters involving ODF
and how implementations use it, I don't consider myself an expert (and I am not one to be
making patches to the code if that is what mitigation requires).  I think we should rely on
expertise that is available for how to conduct ourselves and also handling submissions to
our respective security lists.

You are seeing how the discussion of that is going so far.

I favor including the two others Malte recommends and I am not concerned about iCLAs and having
them be Apache committers and on the PPMC. It is nevertheless the case that all actions to
mitigate a security issue on Apache ooo (incubator) are the responsibility of the PPMC.  That
does not mean we can't share analysis and even agreement on remedies and the coordination
of mitigations, release of CVEs, etc.  

There's also suggestion that we cross-subscribe our lists, but I'm not sure how we can manage
that.  However, having common membership should allow appropriate forwarding across lists.

I'm thinking security matters may be of more immediate concern to the active LibreOffice development
than to Apache.  We can't do a lot about any mitigation at the moment.  We clearly need to
be in the same loop with LibreOffice where there are common security concerns.  

I concur with your previous remarks concerning this being an important area where we can benefit
from mutual cooperation.

 - Dennis

-----Original Message-----
From: Florian Effenberger [mailto:floeff@documentfoundation.org] 
Sent: Thursday, July 28, 2011 14:42
To: ooo-dev@incubator.apache.org
Subject: Re: Population of ooo-security

Hello,

Dennis E. Hamilton wrote on 2011-07-28 22:04:
> I support Malte's recommendation to add two individuals that are currently in-common
with respect to OpenOffice.org (traditional) and LibreOffice.

I must confess I find it really strange that policies seem to be changed 
here.

We had a good team at OpenOffice.org working on various security aspects 
(reporting, fixing, communicating), and when LibreOffice started, we 
unbureaucratically continued to work with the same set of people that 
has been proven trustworthy already. Everyone agreed that security is 
one of the areas where cooperation is possible without any politics 
involved.

I don't know the exact recipient list of the current OOo security list, 
but my proposal would simply have been to continue working with those 
people. I simply see no reason for changing that (and the notion of "We 
do things different here" is no valid argument at all to me).

But maybe that's just my idea. Well, anyways, back to important stuff.

Florian

-- 
Florian Effenberger <floeff@documentfoundation.org>
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff


Mime
View raw message