incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: [DISCUSS] Creation of ooo-security List
Date Wed, 06 Jul 2011 21:40:27 GMT
On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <orcmid@apache.org> wrote:
> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit
in so doing.  Here goes.]
>
> PROPOSAL
>
> ooo-security@incubator.a.o be set up as a private list and a selection of not more than
10 security-aware PPMC members be subscribed to it.  We need to work out what the composition
would be.  The list will be automatically forward to security@a.o.  I assume that there
might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC
subscription.
>
> DETAILS
>
> General information about the Apache Security Team:
> <http://www.apache.org/security/>
>
> More details on the handling of security and vulnerabilities by committers and the role
of the [P]PMC:
> <http://www.apache.org/security/committers.html>
>
> Note that creation of a security page on our web site is also part of this.  That should
happen near-immediately also.
>

The website already has a "Security" link on the navigation panel, at
the bottom.  This takes you to the main Apache security page where the
reporter is instructed on how to submit reports.  According to that
page, security reports are routed to the PMC in case we do not have a
dedicated security list.  So I don't see the urgency on creating a new
list or a new web page, especially since we don't even have code in
the repository, let alone a release, and since there already is a
security list and contact address at OOo.  I think that the existing
procedures, in place at Apache, are adequate if someone wanted to
report a problem

The idea of having the discussion in private, on the PMC private list
or on a private security list, is a  good idea, so that any
vulnerability reported would not be immediately exploited by script
kiddies.  Or at least the chances of that would be diminished.  But I
don't think that any of the PPMC members are malicious hackers likely
to abuse any security sensitive information shared on the PPMC list.
Of course, only a subset of the members have security expertise.


> BACKGROUND
>
> I have been nosing around in document-related security areas and that has led me to inquire
what the arrangements need to be for discussing security issues, identified vulnerabilities,
proposed mitigations, etc.
>
> I've learned that the Apache approach is for each PMC taking the lead in handling security
matters related to its releases.  To maintain the security of security matters, the practice
is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>
> Since we may have "common-mode" issues with respect to the use of our common code base
and implementation behaviors, it may be necessary to coordinate with other teams, including
the LibreOffice security team, in our case.  We'll have to work that out on an individual-case
basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and
I don't know what the structure was for OpenOffice.org and who may have been involved.
>

I'd object to us officially sharing advance security-related
information with some downstream consumers of OOo while not doing the
same with others.

>  - Dennis
>
>

Mime
View raw message