incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 19:53:18 GMT

On Jul 29, 2011, at 12:33 PM, Norbert Thiebaud wrote:

> On Fri, Jul 29, 2011 at 1:48 PM, Pedro F. Giffuni <giffunip@tutopia.com> wrote:
>> --- On Fri, 7/29/11, Norbert Thiebaud <nthiebaud@gmail.com> wrote:
>> ...
>>> 
>>>> 
>>> So let me use a analogy to illustrate why I though that was
>>> a sarcasm:
>>> 
>>> to me, Rob's paragraph read as:
>>> 
>>> The offer remain open: If any gay person want to marry, we
>>> will gladly recognize that marriage, as long as they marry
>>> someone of the opposite sex.
>>> 
>> 
>> Religion is off topic here, but indeed you can't expect that
>> a specific church that defines marriage as the union between
>> a man and a woman to procreate will recognize same sex
>> unions as "marriages". No sarcasm there, just the rules.
> 
> The sarcasm here is not each other position, but the claim that there
> is any 'open offer' is such proposal.
> 
>> 
>>> 
>>> PS: why o why would signing an iCLA be a requirement to be
>>> a project security liaison ?
>> 
>> The ICLA covers two things that are essential for any
>> contribution: license and patents. It would be unacceptable
>> to accept security patches that could cause problems in
>> either topic.
>> 
> ok let me use a concrete example:
> 
> Let say person A found somewhere in the code something like
> 
>  printf( s_usingText );
> 
> where there is a risk that s_usingText is not sanitized...
> 
> let's say person A notify this security risk to LibreOffice security risk
> 
> What should happen then:
> 
> a/ LibreOffice keep it private to LibreOffice member only, make and
> publish a Fix, then and only then unleashed the news on the rest of
> the world, including AOO.org ?
> 
> b/ LibreOffice security list has subscriber that represent their
> cousin project AOO.org so they are aware of it immediately and can
> themselves asses, fix and prepare a patch (if applicable)... and since
> they are cross-list access they can coordinate release and announce if
> need be.

c/ It is really up to person A. If it is ok with that individual then LibreOffice security
list sends an email to ooo-security and the co-ordination begins.

The ooo-security list can do the same. Other siblings, cousins, children and friends can also
be informed as needed.

> If you selected option a/ then fine subject closed.. but let's not be
> hypocrite about it.
> If you selected option b/ how do you rationalized that the behavior
> should not be reciprocal ? 'because that is how Apache work ?' really
> ?

Reciprocity works both ways. To make b/ be true then it would be necessary for someone who
is on the ooo-security list to be on the LO security list.

We understand the requirements here at Apache, but do not understand the qualifications for
being on the LO security mailing list. Perhaps you can enlighten us?


>> Ambassadors only get notified of internal issues; they
>> don't decide. A security officer would be more analogous
>> to a defense minister.
> 
> being subscribed as a liaison to a ooo-security list does not confer
> the subscriber any decision power... and yes the whole point of the
> cross-pollination _is_ to get notified as soon as possible of possible
> issues.

In Apache the members of ooo-security must be "decision makers", but that does not mean they
cannot talk to whomever they trust.

Regards,
Dave


> 
> Norbert


Mime
View raw message