incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Norbert Thiebaud <nthieb...@gmail.com>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 17:49:47 GMT
On Fri, Jul 29, 2011 at 11:58 AM, Dave Fisher <dave2wave@comcast.net> wrote:
>
> On Jul 29, 2011, at 9:26 AM, Norbert Thiebaud wrote:
>
>> On Fri, Jul 29, 2011 at 10:48 AM, Rob Weir <apache@robweir.com> wrote:
>>> On Fri, Jul 29, 2011 at 10:58 AM, Florian Effenberger
>>> <floeff@documentfoundation.org> wrote:
>>>> Hi,
>>>>
>>>> Rob Weir wrote on 2011-07-29 16:49:
>>>>>
>>>>> What did you think of Simon's idea of having a discussion list,
>>>>> perhaps outside of Apache, where interested parties could discuss
>>>>> issues related to the security of OOo and related code bases?
>>>>> Something like that could be useful, even if it is not part of the
>>>>> official incident response process of Apache or LibreOffice.
>>>>
>>>> I was not talking about chatting on security topics, I was talking about
>>>> effectively cooperating on security issues, like we did in the past, in a
>>>> trusted, well-proven group.
>>>>
>>>> However, people made it clear that this is not of interest, so I simply shut
>>>> up here.
>>>>
>>>
>>> The offer remains open:  If any LibreOffice security expert joins this
>>> list, states that they have relevant expertise and that expresses a
>>> commitment to work on Apache OpenOffice security, and are willing to
>>> sign and return the Apache iCLA, then I will gladly nominate them as a
>>> committer and recommend that they be added to the ooo-security list.
>>
>> Sarcasm does not "travel well", maybe you should add <sarcasm>
>> </sarcasm> to the above paragraph ?
>
> I think that Rob is being serious here, he's mentioned this twice. There are rules, but
there are ways to deal with those rules.
>
> I fail to see any sarcasm in this honest offer and I second the offer including PPMC
membership. If a known OOo security expert

No Rob's 'honest offer' was: " If any LibreOffice security expert joins "

> wishes to join our podling we should make all necessary efforts to include them.

That was never the topic. The topic is: considering that we share a
big common ancestor, if either one of us is made aware of a security
risk, should we inform our cousin ASAP ? and if so, how best do that.
Apparently in the past that was achieved by cross-pollinating
each-other security list with a select few security-expert liaison.

Note that this sword cut both ways. ( http://en.wikipedia.org/wiki/Tit_for_tat )

>
So let me use a analogy to illustrate why I though that was a sarcasm:

to me, Rob's paragraph read as:

The offer remain open: If any gay person want to marry , we will
gladly recognize that marriage, as long as they marry someone of the
opposite sex.

The offer remain open: if any person want to collaborate with us on a
neighborhood watch list, we will gladly accept them as long as they
get baptized in our church and renounce their evil ways.

Norbert

PS: why o why would signing an iCLA be a requirement to be a project
security liaison ? it's like asking that any ambassador be naturalized
citizen of the country he is in post in.

Mime
View raw message