incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Phipps <>
Subject Re: Population of ooo-security
Date Mon, 01 Aug 2011 23:40:58 GMT
On Mon, Aug 1, 2011 at 12:15 PM, Rob Weir <> wrote:

> On Mon, Aug 1, 2011 at 2:59 PM, Simon Phipps <> wrote:
> > One observation about this discussion:  Until there is actually a way to
> > make a binary deliverable from AOOo, any inbound security alerts would
> > probably need to be referred to LibreOffice anyway. While the Apache-only
> > list that's being speculatively designed here might be applicable once
> the
> > project is creating deliverables, but until then a pragmatic approach of
> a
> > temporary and inclusive list seems hugely preferable.
> >
> It is possible that some reports would be shared.  It is also possible
> that some would not.  For example, a report might be a duplicate.  It
> might be wrong.  It might be spam.  It might require a followup to
> clarify. It might involve code that doesn't exist in LibreOffice.  The
> discretion with the PPMC and their delegates.
> The Apache Security page makes it clear to reporters that they are
> reporting a vulnerability to Apache where it will be discussed
> privately by the project team.  They are not told that their report,
> with their name, company affiliation and other contact info, will be
> shared more broadly than that.  So even in instances where we did
> share information, such as with a 3rd party expert or via a
> pre-notification, that initial report would only be shared in
> anonymized form.

I don't think I understand how your response, which refers to the
functioning of a future list once AOOo has an operational development
process, applies to my comment, which refers to the situation now when any
incoming security issue would probably be triaged by fixing & recommending
use of LibreOffice.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message