incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Population of ooo-security
Date Thu, 28 Jul 2011 11:38:13 GMT
On Thu, Jul 28, 2011 at 6:06 AM, Malte Timmermann
<> wrote:
> After initiating the OOo security team 5 years ago, and doing most of the
> coordination stuff for OOo security fixes, please let me allow to state my
> pov wrt ooo-security :)
> ooo-security is _not_ a mailing list where all people interested in security
> related stuff can discuss fancy things.
> ooo-security is about confidential stuff, and must be a closed list. The
> number of subscribers should be kept low.
> The reasons why somebody should be allowed to be on ooo-security are:
> - People responsible for handling security issues.
>  This includes people who communicate with the security researches who
>  report vulnerabilities, and people doing security analyzes and fixes.
>  For the fixes it might happen that they involve others, who better
>  know the code. So it may happen that many more people will work on
>  security issues than are subscribed to the list. Everybody who knows
>  a bigger chunk of code might need to do some security fix some time,
>  but that doesn't mean that all these people should be subscribed to
>  the list.
> - People responsible for the security of related products.
>  People from products based on AOOo might need to do the same or
>  similar fixes in their product, or even might want to help fixing the
>  issue in the base product.
>  This definitively includes people from LibreOffice!

We need to understand better how Apache handles the downstream
consumer issue.  Obviously they have many projects where there are
third party ports, customizations, inclusion in Linux distros,
embeddings in other products, etc.  A successful component like Apache
HTTP probably is contained in 100's of other products.  Surely they
are not all subscribed to the projects private security list.

My reading of the security process is that everyone is notified at
once, the public, users, downstream consumers , etc.  Once a fix is
ready and release is approved, the CVE is issued.

See, the process outlined here:

As you know, until recently, there was no IBM representative on
ooo-security, even though we have millions of downloads and users with
Lotus Symphony.  So this information sharing, in practice, was not
really coordinated optimally.

I'm open to the idea that, with Apache security approval, we notify
downstream consumers before the public announcement.  But this would
need to be coordinated very carefully.  If you notice, with the Apache
process, we avoid any public discussion, any JIRA issues, and commit
messages that indicate the problem, etc.  Everything is done to avoid
premature public disclosure.  This is not easy.  But if we need to do
a multi-project coordination, where we do the same, but also
coordinate on release dates with OpenOffice, LibreOffice, Symphony,
RedOffice, BrOffice, as well as coordinate with Linux distros that
bundle LibreOffice, etc., then there are many more ways to have a
premature disclosure. I'd be interested in how (or if) other Apache
projects handle this, especially ones with a much greater security
profile.  The best policy, in the end, might be to simply notify
everyone, including the users, at once.  I the end, our concern should
be about protecting the users.

> - People responsible for providing patches or updated program versions
>  In the OOo Security Team, we have from most Linux distros someone
>  from their security team, so they know about the issues and can
>  prepare for updates.
> - People responsible for writing security bulletins
>  Once AOOo is a real product, we need to get CVEs for security issues
>  and need to write and publish security bulletins.
> First we should get the right people on the list who work in the first 2
> areas. As long as we don't have a product, we don't need security bulletins.
> Also we only need to add security people from the distros once they ship
> vanilla AOOo. When they continue shipping LibO, they only need to be on the
> LibO security list.
> It's not clear to me whether or not all people must be commiters for some
> reason. With "people responsible for the security of related products", I
> have the feeling they shouldn't need to be commiters.
> From the people on the current OOo security team, there are (iirc) only 2
> people beside myself who regularly worked on fixes for security issues:
> Caolan McNamara and Rene Engelhard. I would like to add them to
> ooo-security. They are also in the LibO security team, so adding them should
> give enough LibO coverage.
> Malte.
> On 28.07.2011 09:18, Florian Effenberger wrote:
>> Hello,
>> Rob Weir wrote on 2011-07-28 04:08:
>>> -1. This is the project's private security list, with only a subset
>>> of the PPMC on it. We should not have 3rd parties signed up on it.
>> that would mark a negative change in the way things are handled. Since
>> the beginning of LibO, we have also been collaborating with the
>> folks on security and vice versa, and from what has been
>> discussed the last weeks on those private lists, I got the impression
>> that everyone involved wanted to keep that good spirit and cooperation,
>> as it has shown to be beneficial for both sides.
>> I second André and Drew in their opinion that this is actually one of
>> the areas, where cooperation is very easily possible, so IMHO, we
>> shouldn't waste that chance.
>> Florian

View raw message