incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Neutral / shared security list ...
Date Tue, 25 Oct 2011 19:54:34 GMT
Having some lists on Sourceforge makes it clear to me that you don't want to go there.  My
sourceforge e-mail address, the one associated with the lists, receives an incredible number
of bounces of false e-mails allegedly from the list as well as crap sent to the list.  It
is difficult to avoid conclusion that some of this is attributable to successful hacking into
the list servers.  That may be in the past, but there is no visibility and accountability
about it that I have found.

There is a strong requirement for a vigilant host that is intolerant of lax security and that
provides all of the appropriate safeguards and privacy of the kind required for a community
security list.  Such a list has a bulls-eye on its back and a big "ATTACK ME" arrow pointed
at it.

I recommended, and am still inclined to recommend, ASF for hosting for precisely the reasons
that they are vigilant and this is also demonstrated in how they are vigilant with regard
to the integrity of their code bases, the releases, and their authenticity.  There is little
question, to me, that ASF is likely going to outlast many alternatives for such a facility.

I view this as separate from issues about governance of the list itself and the conditions
for membership on the list.  Because security lists are by necessity used for sensitive information,
they cannot be public.  The challenge is to still have tranparency and accountability over
how the list is governed and operated, as a list, and who the participants (or at least, what
organizations are represented, for participants who are there as representatives of particular
projects).  By the way, I know of no list that expects reporters to it (who also might submit
packages) to have signed any kind of license agreement.  Maybe that happens.  I am not aware
of it.

I think Rob summarized the trust issues perfectly well.    

Since there does not appear to be a situation where blind trust is present, nor called for,
the challenge is to build trust from some initial basis on which there is alignment.  

One case has to deal with trust in the impartiality and the serious professional conduct of
the hosting organization, whatever the list is and whatever its Internet address is.  I still
claim that the best choice of those offered so far is ASF.  

Whatever other candidates for hosting are, there needs to be strong agreement on the measures
that qualifies that choice that inspires mutual trust, apart from where the domain name is.

 - Dennis

-----Original Message-----
From: Florian Effenberger [mailto:floeff@documentfoundation.org] 
Sent: Tuesday, October 25, 2011 08:56
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

Hello,

it is really amazing how much hot air can be produced for such a topic.

Folks, it's rather easy. After the recent discussions and the history of 
this topic, it becomes obvious, that neutral grounds are important.

Neutral grounds mean:
- no domain name related to Apache, OOo, TDF or LibO
- no hosting at one of these entities
- members of the list from both parties (and of course other third 
parties that make sense)
- admins of the list from both parties

I'd also avoid any of the German associations, either directly or via 
donations, since stakeholders at both projects are in their respective 
boards, which might raise concerns towards neutrality.

What's so complicated to understand here? We can bury ourselves with 
senselessly quoting bullshit from dictionaries, wikipedia or a 
philospher of our choice, or finally start working on things.

A concrete proposal:
- We can use either FreeDesktop.org,
- or in case this is seen as non-neutral as it hosts also a few TDF 
lists (not all), go for SourceForge.
- I am also happy to ask a friend of mine who is in the business of mail 
server consultancy, to host that list under a neutral domain name. He 
hosts various lists for free projects. In case that's not neutral enough 
as he's a friend, I know none of the admins at SourceForge.

So, is there any *compelling* reason not to try out one of these three 
options?

Florian

-- 
Florian Effenberger <floeff@documentfoundation.org>
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff


Mime
View raw message