incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 21:05:42 GMT
On Fri, Jul 29, 2011 at 4:37 PM, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> Dave Fisher wrote on Fri, Jul 29, 2011 at 12:04:44 -0700:
>> Let's stop misinterpreting and offending each other and find a way to
>> co-operate.
>>
>> Several possibilities have been discussed.
>>
>> (1) A private list of experts that will be contacted as needed by
>> ooo-security. Maybe this should be public, self-identified and on the
>> commiunity wiki?
>>
>> (2) A list of interested, interrelated projects that want to be
>> informed of upcoming fixes, etc, slightly in advance. Registered on
>> the community wiki?
>>
>
> As long as it's not "Whoever registers gets notified".  The public
> notification is via the announce@ list, not via registration.
>
>> (3) Remembering that anyone who actually has an issue can report it to
>> ooo-security and ooo-security would likely include that individual in
>> their discussion and remediation. Other APache projects actually show
>> who reported, when it was privately and when it was publicly
>> disclosed.
>>
>> (4) An offer to anyone who is an OOo security expert including LO/TDF
>> people to join the podling as a committer and member of the PPMC
>> - requires an ICLA (which is not a baptism nor is it circumcision) and
>> the vote of the PPMC.
>>
>> Do you have something constructive to add here?
>>
>
> (6) ooo-security@ voluntarily CC's libreoffice-security@ (the list, not
> individuals) when a concrete vulnerability is recognized and a fix needs
> to be devised.
>

And why not at that point cc Symphony, RedOffice, NeoOffice, BrOffice,
EuroOffice, etc?

If we need expertise in resolving an issue or preparing a fix then we
should seek out the best expert we can find willing to help,
regardless of their affiliation.  (Would you suggest less?)  And if
our goal is to give a pre-notification to downstream consumers (or
others who share a similar codebase) then we do so more broadly, to
trusted representatives of those projects, without favoritism.

I cannot imagine any situation where it would be appropriate to
automatically cc LibreOffice and only LibreOffice on every new
vulnerability.

> I'm not sure whether or not an ICLA would be required; but the ASF's
> legal rights to use the devised patches should be ascertained.
>
>> Regards, Dave
>

Mime
View raw message