incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: [DISCUSS] Creation of ooo-security List
Date Thu, 07 Jul 2011 00:26:29 GMT
On Wed, Jul 6, 2011 at 18:35, Dennis E. Hamilton
<> wrote:
> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code
or in documents produced in current code, isn't that a concern for us now?  Why would it
not be?
> Also, I don't presume that everyone is downstream from us (as opposed to the
that once was).
> I think of LibreOffice as a mutual stakeholder because it seems they have a security
team too and like it or not, they are cranking out releases very quickly and may be able to
provide mitigations, hypothetically, months before we ever get a release of ours out the door.

We can get guidance from the Apache Security Team on this. I suspect
they would concur: work with the development/security teams of people
development forks of OOo. Downstream users would presumably get a
standard pre-notification email.

> I don't know about the details of having that work.  I do know if I uncover a problem,
I am going to communicate it to every security-conscious entity I can.

The best answer is to ask Security for advice here. There is an
industry-standard approach to this kind of notification.

> To make this conversation concrete: I have security issues I want to raise, which is
what had me looking into this in the first place.  I would like to do this in a manner that
is in keeping with concerns for dealing with security matters privately to ensure that there
is competent review and no danger attached to premature disclosure.  (I suspect not, because
the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone
having more security experience than I before saying, "Heck, I need something for today's
blog post, why not stir things up with this?")

Start with, and go from there.


View raw message