incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Vulnerability fixed in LibreOffice
Date Wed, 05 Oct 2011 23:25:55 GMT
Whatever the arrangement is to become, it should not have a single point of failure in achieving
coordination on common-mode/mono-culture vulnerabilities.  

Anyone can post to anyone's security list.  But they are private lists.  It is the part where
discretion must occur in handling vulnerabilities until the fix is in and a CVE is posted
that happens privately and that might work better with some shared membership on the security
lists.  On AOOo, the PPMC is aware of any resolution that works into code, because of the
way a security fix gets committed into a release.

The PPMC-only member rule is one that was made up on this PPMC.  

It still needn't interfere with us communicating with each other and advising about progress
toward a fix and CVE.  I know it hasn't been an impediment with the security issues that I
am aware of personally.

 - Dennis  

-----Original Message-----
From: Simon Phipps [mailto:simon@webmink.com] 
Sent: Wednesday, October 05, 2011 16:01
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice

On Wed, Oct 5, 2011 at 11:11 PM, Dave Fisher <dave2wave@comcast.net> wrote:

> To be fair there have been email outages at least twice with
> openoffice.org - perhaps the messages were lost during that time.
>

Entirely plausible, I agree.

So given securityteam@openoffice.org appears to be abandoned, and given the
ooo-security list is only open to Apache committers, where should
collaboration be taking place? I'm happy to mediate a discussion/solution.

S.


Mime
View raw message