incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Norbert Thiebaud <>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 19:33:51 GMT
On Fri, Jul 29, 2011 at 1:48 PM, Pedro F. Giffuni <> wrote:
> --- On Fri, 7/29/11, Norbert Thiebaud <> wrote:
> ...
>> >
>> So let me use a analogy to illustrate why I though that was
>> a sarcasm:
>> to me, Rob's paragraph read as:
>> The offer remain open: If any gay person want to marry, we
>> will gladly recognize that marriage, as long as they marry
>> someone of the opposite sex.
> Religion is off topic here, but indeed you can't expect that
> a specific church that defines marriage as the union between
> a man and a woman to procreate will recognize same sex
> unions as "marriages". No sarcasm there, just the rules.

The sarcasm here is not each other position, but the claim that there
is any 'open offer' is such proposal.

>> PS: why o why would signing an iCLA be a requirement to be
>> a project security liaison ?
> The ICLA covers two things that are essential for any
> contribution: license and patents. It would be unacceptable
> to accept security patches that could cause problems in
> either topic.
 ok let me use a concrete example:

Let say person A found somewhere in the code something like

  printf( s_usingText );

where there is a risk that s_usingText is not sanitized...

let's say person A notify this security risk to LibreOffice security risk

What should happen then:

a/ LibreOffice keep it private to LibreOffice member only, make and
publish a Fix, then and only then unleashed the news on the rest of
the world, including ?

b/ LibreOffice security list has subscriber that represent their
cousin project so they are aware of it immediately and can
themselves asses, fix and prepare a patch (if applicable)... and since
they are cross-list access they can coordinate release and announce if
need be.

If you selected option a/ then fine subject closed.. but let's not be
hypocrite about it.
If you selected option b/ how do you rationalized that the behavior
should not be reciprocal ? 'because that is how Apache work ?' really

>Ambassadors only get notified of internal issues; they
>don't decide. A security officer would be more analogous
>to a defense minister.

being subscribed as a liaison to a ooo-security list does not confer
the subscriber any decision power... and yes the whole point of the
cross-pollination _is_ to get notified as soon as possible of possible


View raw message