incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 20:00:25 GMT
On Fri, Jul 29, 2011 at 3:33 PM, Norbert Thiebaud <nthiebaud@gmail.com> wrote:
> On Fri, Jul 29, 2011 at 1:48 PM, Pedro F. Giffuni <giffunip@tutopia.com> wrote:
>> --- On Fri, 7/29/11, Norbert Thiebaud <nthiebaud@gmail.com> wrote:
>> ...
>>>
>>> >
>>> So let me use a analogy to illustrate why I though that was
>>> a sarcasm:
>>>
>>> to me, Rob's paragraph read as:
>>>
>>> The offer remain open: If any gay person want to marry, we
>>> will gladly recognize that marriage, as long as they marry
>>> someone of the opposite sex.
>>>
>>
>> Religion is off topic here, but indeed you can't expect that
>> a specific church that defines marriage as the union between
>> a man and a woman to procreate will recognize same sex
>> unions as "marriages". No sarcasm there, just the rules.
>
> The sarcasm here is not each other position, but the claim that there
> is any 'open offer' is such proposal.
>
>>
>>>
>>> PS: why o why would signing an iCLA be a requirement to be
>>> a project security liaison ?
>>
>> The ICLA covers two things that are essential for any
>> contribution: license and patents. It would be unacceptable
>> to accept security patches that could cause problems in
>> either topic.
>>
>  ok let me use a concrete example:
>
> Let say person A found somewhere in the code something like
>
>  printf( s_usingText );
>
> where there is a risk that s_usingText is not sanitized...
>
> let's say person A notify this security risk to LibreOffice security risk
>
> What should happen then:
>
> a/ LibreOffice keep it private to LibreOffice member only, make and
> publish a Fix, then and only then unleashed the news on the rest of
> the world, including AOO.org ?
>
> b/ LibreOffice security list has subscriber that represent their
> cousin project AOO.org so they are aware of it immediately and can
> themselves asses, fix and prepare a patch (if applicable)... and since
> they are cross-list access they can coordinate release and announce if
> need be.
>

You are presenting a false dichotomy.  There are more than two ways of
handling this, including infinite gradations between your two poles.

For example, the discussion could start at LibreOffice, where the
problem is analyzed and verified and a "beta" patch produced.  At that
point the patch could be privately shared among related projects, like
AOOo to get feedback. (This has been called "pre-notification")  Then
the news is "unleashed on the rest of the world".

That's the way I'm thinking of it.  I think having that level of
cooperation would be wonderful. We've been discussing having a
"pre-notification list" for Apache OpenOffice.  I think it could work
well.    But if you want to get involved even more, including in the
very first discussions and analysis of newly reported issues, then you
are very welcome to do so, but you need to become a committer.  I've
described some simple steps that you could take to do that, if you
wanted.

But I wonder, with all the rhetoric about marriage and such, whether
anyone is confused about the "commitment" part of "committer"?  This
is not an exclusive thing.  There is absolutely no problem (for me
personally, nor for Apache) if someone is a committer for both Apache
OpenOffice and LibreOffice.  An invitation to join Apache OpenOffice
is not a demand for you to abandon work on any other project(s) you
might be involved in.

> If you selected option a/ then fine subject closed.. but let's not be
> hypocrite about it.
> If you selected option b/ how do you rationalized that the behavior
> should not be reciprocal ? 'because that is how Apache work ?' really
> ?
>
>
>>Ambassadors only get notified of internal issues; they
>>don't decide. A security officer would be more analogous
>>to a defense minister.
>
> being subscribed as a liaison to a ooo-security list does not confer
> the subscriber any decision power... and yes the whole point of the
> cross-pollination _is_ to get notified as soon as possible of possible
> issues.
>
> Norbert
>

Mime
View raw message