incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pedro F. Giffuni" <>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 20:27:39 GMT

--- On Fri, 7/29/11, Norbert Thiebaud <> wrote:
>  ok let me use a concrete example:
> Let say person A found somewhere in the code something
> like
>   printf( s_usingText );
> where there is a risk that s_usingText is not sanitized...
> let's say person A notify this security risk to LibreOffice
> security risk
> What should happen then:
> a/ LibreOffice keep it private to LibreOffice member only,
> make and
> publish a Fix, then and only then unleashed the news on the
> rest of
> the world, including ?
> b/ LibreOffice security list has subscriber that represent
> their
> cousin project so they are aware of it immediately
> and can
> themselves asses, fix and prepare a patch (if
> applicable)... and since
> they are cross-list access they can coordinate release and
> announce if need be.
> If you selected option a/ then fine subject closed.. but
> let's not be hypocrite about it.

a/ is reasonable: I am willing to accept that we can do
better but if ultimately A/ is the only option that does
not mean we are enemies.

We do want b/ to be reciprocal, but that means we respect
your rules and you respect ours. How would you like to include
a patch that I send you (no license agreement) and a few
months later the company I work for (with or without my consent)
starts suing your users for patent infringement?

The few rules Apache has are there for a reason, and trust
me you there is no intention to treat any project unfairly.
> being subscribed as a liaison to a ooo-security list does
> not confer
> the subscriber any decision power... and yes the whole
> point of the
> cross-pollination _is_ to get notified as soon as possible
> of possible
> issues.

ooo-security, as I understand it, is meant to identify and 
react as fast as possible to specific vulnerabilities that
other people report. Other projects have a security-notifications
list in additional to the normal security lists.

Security issues are usually relatively straightforward to patch,
so even if we have to recur to option a/, the notification will
not take too long to come out...



> Norbert

View raw message