incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: [DISCUSS] Creation of ooo-security List
Date Thu, 07 Jul 2011 00:21:56 GMT
Apache Subversion used to have its own security mailing list before it
came to the Apache Software Foundation. We decided that the *influx*
of security problems was low enough that we left that mailing list
behind. Today, we rely entirely on security@apache.org for external
entities to report problems[1].

Note that there are two purposes for security@apache.org:

1) external users report problems here
2) it is the Apache Security Team, and is used to contact them and to
keep them in the discussion loop.

On the page you referenced[2], all of the steps talk about the
"project team". That is not a subset of the PMC. That *is* the PMC.
The entire PMC is responsible for the project.

As an example, the Apache Subversion project manages the entire
response to a problem on private@subversion.a.o, keeping
security@apache.org cc'd on the discussion. We produce the patch, get
it tested, and use our private repository to develop the CVE text
(after we request CVE(s) from the security@ folks)

private@subversion.a.o has several dozen people on it. Probably more.

One key is to ensure that the people on the (P)PMC list understand
what the security response protocol looks like. They need to
understand that we keep it private until the vulnerability is ready
for disclosure. That disclosure typically includes CVE notices, and it
includes a pre-notification to a list of people (we keep that list in
svn, too, along with a script to send them the notification). Anybody
that we feel has an interest and impact in hearing about svn
vulnerabilities is asked (eg. packagers and big hosting companies).

Once the Apache OO.o PPMC has a solid understanding, or at least a
solid agreement in *confidentiality*, then security issues can be
handled on ooo-private@incubator.a.o.

I don't believe that we need our own security address since I doubt
we'll have that many *incoming* issues. Those reports can go to
security@apache.org, and that team will forward them to the PPMC.

Cheers,
-g

[1] http://subversion.apache.org/security/
[2] http://www.apache.org/security/committers.html

On Wed, Jul 6, 2011 at 19:50, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> I'm assuming the goal is to keep the analysis and discussion of alleged vulnerabilities
to a relatively small need-to-know group.
>
> I don't know that 10 is a hard number, I heard it as a suggestion when I asked around
about how this works at Apache.  Do you know typical sizes for security@project lists?
>
>  - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Wednesday, July 06, 2011 15:54
> To: OOo-dev Apache Incubator
> Subject: Re: [DISCUSS] Creation of ooo-security List
>
> Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700:
>> I've learned that the Apache approach is for each PMC taking the lead
>> in handling security matters related to its releases.  To maintain the
>> security of security matters, the practice is to have a private list
>> (for us, ooo-security) with not more than ten security-aware
>> subscribers.
>
> I've never heard of a magic number cap to the # of subscribers of
> a mailing list.
>
>

Mime
View raw message