incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 14:49:21 GMT
On Fri, Jul 29, 2011 at 10:37 AM, Florian Effenberger
<floeff@documentfoundation.org> wrote:
> Hi Malte,
>
> Malte Timmermann wrote on 2011-07-29 14:56:
>
>> I really disagree to add all the members from OOo and LibO to the AOOo
>> security list.
>
> well, that's sad to hear, but I guess nobody cares at all, so I won't
> elaborate any further on this.
>
>> This was the same with OOo/LibO: You didn't add all people from OOo
>> security team to the LibO security list. Just me, and that actually was
>> enough IMHO.
>
> IMHO, I tried to bring everyone involved on that list, and we IMHO even
> discussed that on the OOo security list and gave people a chance to raise
> their hands. I don't have a subscriber list, but we tried to add all active
> people.
>
>> Honestly, I don't see a reason to have LibO PR/Marketing people on an
>> AOOo security list, _except_ they plan to work on security bulletins or
>> PR stuff also for AOOo.
>
> Everyone on the LibO security list is involved directly in security --
> either in detecting, fixing or writing security bulletins. We have no
> marketing/PR people on their just out of nothing.
>
>> For example: I really like and trust you, but after the LibO fork, I
>> would only have added LibO people to the OOo security list who work on
>> security analyzes and common patches. I wouldn't have seen any reason to
>> add you, knowing that you only do LibO PR, but no OOo PR anymore.
>> You would have been informed via the LibO security list if needed.
>>
>> (Sorry to pick your name, but I guess that's a good example to make my
>> point clear).
>
> No problem. It's not about me, I just find it sad that things that worked
> out so very well in the past, and that could be a basis cooperation, are no
> revoked by your side.
>

What did you think of Simon's idea of having a discussion list,
perhaps outside of Apache, where interested parties could discuss
issues related to the security of OOo and related code bases?
Something like that could be useful, even if it is not part of the
official incident response process of Apache or LibreOffice.

> Florian
>
> --
> Florian Effenberger <floeff@documentfoundation.org>
> Steering Committee and Founding Member of The Document Foundation
> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
> Skype: floeff | Twitter/Identi.ca: @floeff
>

Mime
View raw message