Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of rabastus@gmail.com designates
 209.85.214.175 as permitted sender)
MIME-Version: 1.0
Sender: rabastus@gmail.com
In-Reply-To: <00f401cc3c2d$0d0d44b0$2727ce10$@acm.org>
References: <006201cc3beb$c2932bc0$47b98340$@apache.org>
	<00b101cc3c0f$42806af0$c78140d0$@apache.org>
	<CAP-ksojXPr0a-_APVBjKMWLBohevjUO9CoZ89T3tkkxgOU9yvQ@mail.gmail.com>
	<00f401cc3c2d$0d0d44b0$2727ce10$@acm.org>
Date: Wed, 6 Jul 2011 19:10:25 -0400
Message-ID: 
 <CAP-ksoj2qwbB0rtAJ+ntFsiMhtwX13JXZjb8J_=iUHbCToJ+4A@mail.gmail.com>
Subject: Re: [DISCUSS] Creation of ooo-security List
From: Rob Weir <apache@robweir.com>
To: ooo-dev@incubator.apache.org, dennis.hamilton@acm.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 6, 2011 at 6:35 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Well, vulnerabilities are vulnerabilities and if there is an exposure in =
current code or in documents produced in current code, isn't that a concern=
 for us now? =C2=A0Why would it not be?
>

I'm not saying it is not a concern.  I'm saying if you think it is a
concern, then get on with it and report the concern.

> Also, I don't presume that everyone is downstream from us (as opposed to =
the OpenOffice.org that once was).
>
> I think of LibreOffice as a mutual stakeholder because it seems they have=
 a security team too and like it or not, they are cranking out releases ver=
y quickly and may be able to provide mitigations, hypothetically, months be=
fore we ever get a release of ours out the door.
>

And IBM and RedOffice and Oracle doesn't have products in use based on
this same code?  And they don't have people who work with security?  I
question your definition of "mutual stakeholder", especially since our
list of Committers has members from IBM, RedOffice and Oracle, but
none from LibreOffice.

And how often feature releases are "cranked out" is irrelevant to how
quickly a vendor can release a security patch if needed.  You are
mixes two different kinds of releases.

> Also, some security issues may require a jointly-agreed response so that =
we attend to interoperability concerns, especially if mitigation involves b=
reaking changes or even introduction of allowed extensions (in the context =
of the ODF specifications). =C2=A0Anything that fits into a discretionary a=
rea requiring producer-consumer agreement to work needs a community to unfo=
ld it.
>
> I don't know about the details of having that work. =C2=A0I do know if I =
uncover a problem, I am going to communicate it to every security-conscious=
 entity I can.
>

Hopefully this will include the Apache security list at some point.

> To make this conversation concrete: I have security issues I want to rais=
e, which is what had me looking into this in the first place. =C2=A0I would=
 like to do this in a manner that is in keeping with concerns for dealing w=
ith security matters privately to ensure that there is competent review and=
 no danger attached to premature disclosure. =C2=A0(I suspect not, because =
the vulnerabilities I am aware of exist in plain sight, but I want the coun=
sel of someone having more security experience than I before saying, "Heck,=
 I need something for today's blog post, why not stir things up with this?"=
)
>

The Apache process for handling this is documented and it explicitly
covers the case of reports for a project that does not have a
dedicated security list.

>
> =C2=A0- Dennis
>
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Wei=
r
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
>
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <orcmid@apache.org> wr=
ote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and t=
here is benefit in so doing. =C2=A0Here goes.]
>>
>> PROPOSAL
>>
>> ooo-security@incubator.a.o be set up as a private list and a selection o=
f not more than 10 security-aware PPMC members be subscribed to it. =C2=A0W=
e need to work out what the composition would be. =C2=A0The list will be au=
tomatically forward to security@a.o. =C2=A0I assume that there might be sec=
urity-aware ooo-podling mentors and other ASF Members included in the small=
 PPMC subscription.
>>
>> DETAILS
>>
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>>
>> More details on the handling of security and vulnerabilities by committe=
rs and the role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>>
>> Note that creation of a security page on our web site is also part of th=
is. =C2=A0That should happen near-immediately also.
>>
>
> The website already has a "Security" link on the navigation panel, at
> the bottom. =C2=A0This takes you to the main Apache security page where t=
he
> reporter is instructed on how to submit reports. =C2=A0According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list. =C2=A0So I don't see the urgency on creating a n=
ew
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo. =C2=A0I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
>
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a =C2=A0good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies. =C2=A0Or at least the chances of that would be diminished. =C2=
=A0But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
>
>
>> BACKGROUND
>>
>> I have been nosing around in document-related security areas and that ha=
s led me to inquire what the arrangements need to be for discussing securit=
y issues, identified vulnerabilities, proposed mitigations, etc.
>>
>> I've learned that the Apache approach is for each PMC taking the lead in=
 handling security matters related to its releases. =C2=A0To maintain the s=
ecurity of security matters, the practice is to have a private list (for us=
, ooo-security) with not more than ten security-aware subscribers.
>>
>> Since we may have "common-mode" issues with respect to the use of our co=
mmon code base and implementation behaviors, it may be necessary to coordin=
ate with other teams, including the LibreOffice security team, in our case.=
 =C2=A0We'll have to work that out on an individual-case basis, I suspect. =
=C2=A0I don't know if we have any PPMC members who are also on that team, a=
nd I don't know what the structure was for OpenOffice.org and who may have =
been involved.
>>
>
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
>
>> =C2=A0- Dennis
>>
>>
>
>