incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: Population of ooo-security
Date Thu, 28 Jul 2011 11:25:18 GMT
On Thu, Jul 28, 2011 at 3:18 AM, Florian Effenberger
<floeff@documentfoundation.org> wrote:
> Hello,
>
> Rob Weir wrote on 2011-07-28 04:08:
>>
>> -1.  This is the project's private security list, with only a subset
>> of the PPMC on it.  We should not have 3rd parties signed up on it.
>
> that would mark a negative change in the way things are handled. Since the
> beginning of LibO, we have also been collaborating with the OpenOffice.org
> folks on security and vice versa, and from what has been discussed the last
> weeks on those private lists, I got the impression that everyone involved
> wanted to keep that good spirit and cooperation, as it has shown to be
> beneficial for both sides.
>

No one said we could not collaborate on security matters, or on any
other matter.  But the ooo-dev list is for "reporting or managing of
an undisclosed security vulnerability in Apache software".  It is part
of the oversight of the project and has very limited membership,
namely a subset of PMC members, those who have been elected to provide
oversight to Apache projects.

I'd recommend reading up on the process here:
http://www.apache.org/security/committers.html

I'd also have concerns with engineers who have not signed the Apache
iCLA participating directly in the creation of patches on a private
list.

Especially note at the bottom where it explicitly allows for
contacting and collaborating with 3rd party experts in resolving any
reported security issues. This does not mean that these experts need
to be signed up on the project's private security list.  It just means
they can be brought into the conversation where appropriate.

Remember, anyone can post to any Apache list, even if they are not
signed up on it.  This sends it to the list moderators who may approve
the message.  That is how we get reports of security vulnerabilities
in the first place.   It would also be very easy for us to cc a
LibreOffice security expert on list messages in order to collaborate.


> I second André and Drew in their opinion that this is actually one of the
> areas, where cooperation is very easily possible, so IMHO, we shouldn't
> waste that chance.
>

I'd encourage the project to reach out to find security expertise
wherever needed.  This would include not only LibreOffice, but Lotus
Symphony, other projects at Apache, authors of embedded 3rd party
components, other industry experts, etc.  We have a potential pool of
experts that probably amounts to dozens or hundreds.  But that does
not mean that they all should be signed up on the ooo-security list.
We should bring them in on a case-by-case basis.

Otherwise, where would we draw the line?  Sign up LibreOffice experts
automatically on ooo-security?  What about Symphony?  NeoOffice?
Portable Apps? EuroOffice?  RedOffice?  They all have reasons to want
to be "the first to know" about any newly reported flaw.  What about
large government customers?  Educational institutions?  They would
want to know first as well.

So I think we need to clearly distinguish between the kinds of
collaboration that are needed to resolve an issue versus the kinds of
communications that are needed to report an issue and a fix to users
and downstream consumers of the code.  These are two different things,
and the Apache security process makes that distinction as well.

Cooperation on fixing problems is great and we should encourage it.
But the reason the ooo-private list is private and small is to protect
the users from premature disclosure of zero-day vulnerabilities.  To
prevent this Apache has defined some specific protocols, which I
linked to above.  This may differ from what OpenOffice has done
before.  That's fine.  Apache has some experience with managing
security as well.  I don't think we should automatically dismiss their
procedures.

A concrete way to encourage future collaboration in this area is if
LibreOffice would nominate 1 or 2 security experts from their project
to be listed in our private list of experts.  If you could send their
names and email addresses, along with their particular areas of
expertise, to ooo-security@incubator.apache.org, I will see that they
are added to the list.

I'll make the same offer to others as well.  If you are a non-project
member, but a security domain expert, and want to be on our list for
when we need such expertise, please send a note to ooo-security.

-Rob

> Florian
>
> --
> Florian Effenberger <floeff@documentfoundation.org>
> Steering Committee and Founding Member of The Document Foundation
> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
> Skype: floeff | Twitter/Identi.ca: @floeff
>

Mime
View raw message