incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Population of ooo-security
Date Fri, 29 Jul 2011 19:04:44 GMT

> On Fri, Jul 29, 2011 at 11:58 AM, Dave Fisher <dave2wave@comcast.net> wrote:
>> 
>> On Jul 29, 2011, at 9:26 AM, Norbert Thiebaud wrote:
>> 
>>> On Fri, Jul 29, 2011 at 10:48 AM, Rob Weir <apache@robweir.com> wrote:
>>>> On Fri, Jul 29, 2011 at 10:58 AM, Florian Effenberger
>>>> <floeff@documentfoundation.org> wrote:
>>>>> Hi,
>>>>> 
>>>>> Rob Weir wrote on 2011-07-29 16:49:
>>>>>> 
>>>>>> What did you think of Simon's idea of having a discussion list,
>>>>>> perhaps outside of Apache, where interested parties could discuss
>>>>>> issues related to the security of OOo and related code bases?
>>>>>> Something like that could be useful, even if it is not part of the
>>>>>> official incident response process of Apache or LibreOffice.
>>>>> 
>>>>> I was not talking about chatting on security topics, I was talking about
>>>>> effectively cooperating on security issues, like we did in the past,
in a
>>>>> trusted, well-proven group.
>>>>> 
>>>>> However, people made it clear that this is not of interest, so I simply
shut
>>>>> up here.
>>>>> 
>>>> 
>>>> The offer remains open:  If any LibreOffice security expert joins this
>>>> list, states that they have relevant expertise and that expresses a
>>>> commitment to work on Apache OpenOffice security, and are willing to
>>>> sign and return the Apache iCLA, then I will gladly nominate them as a
>>>> committer and recommend that they be added to the ooo-security list.
>>> 
>>> Sarcasm does not "travel well", maybe you should add <sarcasm>
>>> </sarcasm> to the above paragraph ?
>> 
>> I think that Rob is being serious here, he's mentioned this twice. There are rules,
but there are ways to deal with those rules.
>> 
>> I fail to see any sarcasm in this honest offer and I second the offer including PPMC
membership. If a known OOo security expert
> 
> No Rob's 'honest offer' was: " If any LibreOffice security expert joins "
> 
>> wishes to join our podling we should make all necessary efforts to include them.
> 
> That was never the topic. The topic is: considering that we share a
> big common ancestor, if either one of us is made aware of a security
> risk, should we inform our cousin ASAP ? and if so, how best do that.
> Apparently in the past that was achieved by cross-pollinating
> each-other security list with a select few security-expert liaison.

So cross-polinate by sending an email to ooo-security@i.a.o

> Note that this sword cut both ways. ( http://en.wikipedia.org/wiki/Tit_for_tat )

I'm not playing that game and I hope that it is not your purpose.

> So let me use a analogy to illustrate why I though that was a sarcasm:
> 
> to me, Rob's paragraph read as:
> 
> The offer remain open: If any gay person want to marry , we will
> gladly recognize that marriage, as long as they marry someone of the
> opposite sex.
> 
> The offer remain open: if any person want to collaborate with us on a
> neighborhood watch list, we will gladly accept them as long as they
> get baptized in our church and renounce their evil ways.

Both of these analogies are highly offensive.

> 
> Norbert
> 
> PS: why o why would signing an iCLA be a requirement to be a project
> security liaison ? it's like asking that any ambassador be naturalized
> citizen of the country he is in post in.

Let's stop misinterpreting and offending each other and find a way to co-operate.

Several possibilities have been discussed.

(1) A private list of experts that will be contacted as needed by ooo-security. Maybe this
should be public, self-identified and on the commiunity wiki?

(2) A list of interested, interrelated projects that want to be informed of upcoming fixes,
etc, slightly in advance. Registered on the community wiki?

(3) Remembering that anyone who actually has an issue can report it to ooo-security and ooo-security
would likely include that individual in their discussion and remediation. Other APache projects
actually show who reported, when it was privately and when it was publicly disclosed.

(4) An offer to anyone who is an OOo security expert including LO/TDF people to join the podling
as a committer and member of the PPMC - requires an ICLA (which is not a baptism nor is it
circumcision) and the vote of the PPMC.

Do you have something constructive to add here?

Regards,
Dave
Mime
View raw message