incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: Population of ooo-security
Date Thu, 28 Jul 2011 23:45:46 GMT
On Thu, Jul 28, 2011 at 6:43 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Florian, we are all learning over here.
>
> There are practices that the ASF has around security and how reports to security are
handled and the Apache ooo PPMC is working to comprehend how to do this properly.  We're
still working out how this is all meant to work and how we deal with the fact that there is
a broader common interest than what the Apache incubator might be the source of.
>
> We set up the ooo-security@incubator.apache.org on the serious urging of the ASF security
team.
>
> At the moment, the three moderators (required to provide mailing list coverage) of this
moderated and private list (no public archive or subscriptions) are myself, Rob Weir, and
Malte Timmermann.  As the self-selected moderators, we became the initial subscribers.
>
> The other advice was to include others who are already working on security lists for,
e.g., OpenOffice.org (traditional) and LibreOffice.
>
> I, for one, want more engagement of experienced security minders around ODF and its implementing
consumers and producers.  Although I pay attention to security-related matters involving
ODF and how implementations use it, I don't consider myself an expert (and I am not one to
be making patches to the code if that is what mitigation requires).  I think we should rely
on expertise that is available for how to conduct ourselves and also handling submissions
to our respective security lists.
>
> You are seeing how the discussion of that is going so far.
>
> I favor including the two others Malte recommends and I am not concerned about iCLAs
and having them be Apache committers and on the PPMC. It is nevertheless the case that all
actions to mitigate a security issue on Apache ooo (incubator) are the responsibility of the
PPMC.  That does not mean we can't share analysis and even agreement on remedies and the
coordination of mitigations, release of CVEs, etc.
>
> There's also suggestion that we cross-subscribe our lists, but I'm not sure how we can
manage that.  However, having common membership should allow appropriate forwarding across
lists.
>

Both lists are also used for reporting vulnerabilities.  So both lists
must already have the ability to accept incoming emails from
non-subscribers.  We know with Apache, such emails to to the moderator
first.  I assume it is the same with securityteam@openoffice.org.

So in cases where we think we need to post to that list, or they think
they need to post to ours, it is already possible.  We don't need to
change anything for that to happen.

But remember, the securityteam@openoffice.org is not long for this
world.  This Apache project will be taking over that domain and its
lists.  So in the intermediate term there will no longer be "us" and
"them".  It will just be "us" and "us".  We'll need to decide at that
point whether securityteam@openoffice.org continues or whether it is
shut down.  My guess is we'll want to shut it down so it is clear to
the public where reports should be sent.  So cross-subscribing is
really a short term hack and a non-solution in my mind.

What do we really want to do?  Stepping back, what do we want to accomplish?

Do we want a list of domain experts we can tap into?  That is easy.
Track the list in a text file in the PPMC's private directory.

Do we want to bring more security experts into the project and as
committers and PPMC members into the ooo-security list.  Great.  I'd
love to help with that recruitment effort.  Do we want create a
private club of 3rd parties with whom we share all reports and
discussions with, indiscriminately, by default, regardless of the
technology involved in the underlying report?  Sorry, I can't support
that.

Can you give me an example of a kind of issue that we could not
analyze and resolve within the project, or could not resolve by
tapping into targeted 3rd party domain experts?


> I'm thinking security matters may be of more immediate concern to the active LibreOffice
development than to Apache.  We can't do a lot about any mitigation at the moment.  We clearly
need to be in the same loop with LibreOffice where there are common security concerns.
>

We can do plenty. It would depend, of course, on the severity and
nature of the underlying vulnerability.

> I concur with your previous remarks concerning this being an important area where we
can benefit from mutual cooperation.
>
>  - Dennis
>
> -----Original Message-----
> From: Florian Effenberger [mailto:floeff@documentfoundation.org]
> Sent: Thursday, July 28, 2011 14:42
> To: ooo-dev@incubator.apache.org
> Subject: Re: Population of ooo-security
>
> Hello,
>
> Dennis E. Hamilton wrote on 2011-07-28 22:04:
>> I support Malte's recommendation to add two individuals that are currently in-common
with respect to OpenOffice.org (traditional) and LibreOffice.
>
> I must confess I find it really strange that policies seem to be changed
> here.
>
> We had a good team at OpenOffice.org working on various security aspects
> (reporting, fixing, communicating), and when LibreOffice started, we
> unbureaucratically continued to work with the same set of people that
> has been proven trustworthy already. Everyone agreed that security is
> one of the areas where cooperation is possible without any politics
> involved.
>
> I don't know the exact recipient list of the current OOo security list,
> but my proposal would simply have been to continue working with those
> people. I simply see no reason for changing that (and the notion of "We
> do things different here" is no valid argument at all to me).
>
> But maybe that's just my idea. Well, anyways, back to important stuff.
>
> Florian
>
> --
> Florian Effenberger <floeff@documentfoundation.org>
> Steering Committee and Founding Member of The Document Foundation
> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
> Skype: floeff | Twitter/Identi.ca: @floeff
>
>

Mime
View raw message