incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <...@shanecurcuru.org>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 02:34:53 GMT
I'll add my +1 as a mentor (i.e. not a committer) to Rob's general 
suggestions.

Personally, I would be uncomfortable to have non-PPMC or Apache Security 
team members on the ooo-security@ list.  This is a list for this project 
to become aware of potential security issues, and to quickly review them 
and start a plan for addressing them (if necessary).

Having only Apache committers on this list in no way means that the list 
members would not tap any relevant security experts as needed. 
Obviously for specific vulnerabilities (or even potential 
vulnerabilities), I would expect people would reach out directly to 
other recognized or trusted security experts - I'm sure, in many cases, 
to the other relevant LibO or whatever security mailing lists.  But the 
ooo-security@ list itself should be carefully limited.

But security of the future Apache OpenOffice product remains with this 
(P)PMC - not with security experts on other projects, no matter how well 
meaning or experienced they may be.  The direct way the (P)PMC should 
learn about issues - ooo-security@ - is for the (P)PMC to be on.

Note that I would also recommend emailing security@ after you have a 
basic proposed plan to get advice, and to strongly consider following 
any advice you get.  They and some of the other major Apache projects, 
like Tomcat, Subversion, and httpd, should also be able to provide good 
guidance on ways to alert first responders (packagers, binary builders, 
whoever) in an appropriate manner before public disclosures.

- Shane



Mime
View raw message