incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 20:37:18 GMT
Dave Fisher wrote on Fri, Jul 29, 2011 at 12:04:44 -0700:
> Let's stop misinterpreting and offending each other and find a way to
> co-operate.
> 
> Several possibilities have been discussed.
> 
> (1) A private list of experts that will be contacted as needed by
> ooo-security. Maybe this should be public, self-identified and on the
> commiunity wiki?
> 
> (2) A list of interested, interrelated projects that want to be
> informed of upcoming fixes, etc, slightly in advance. Registered on
> the community wiki?
> 

As long as it's not "Whoever registers gets notified".  The public
notification is via the announce@ list, not via registration.

> (3) Remembering that anyone who actually has an issue can report it to
> ooo-security and ooo-security would likely include that individual in
> their discussion and remediation. Other APache projects actually show
> who reported, when it was privately and when it was publicly
> disclosed.
> 
> (4) An offer to anyone who is an OOo security expert including LO/TDF
> people to join the podling as a committer and member of the PPMC
> - requires an ICLA (which is not a baptism nor is it circumcision) and
> the vote of the PPMC.
> 
> Do you have something constructive to add here?
> 

(6) ooo-security@ voluntarily CC's libreoffice-security@ (the list, not
individuals) when a concrete vulnerability is recognized and a fix needs
to be devised.

I'm not sure whether or not an ICLA would be required; but the ASF's
legal rights to use the devised patches should be ascertained.

> Regards, Dave

Mime
View raw message