incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Neutral / shared security list ...
Date Tue, 25 Oct 2011 20:36:32 GMT
+1

I am very much in support of the view that Dave has evolved in this discussion.   The discussion
is not about the private security teams each project must have to deal with its security issues
and to ensure the secure operation of the dealing with security issues.

If there is to be a community location for sharing concerning common vulnerabilities and security
concerns among those teams, a kind of secure channel among the parties, like a multilateral
hot line, some trustworthy basis for that has to be achieved.  The security of our users in
relying on our products and their interchange protocols and formats is paramount.  Ultimately,
that is the bedrock for enduring the discomfort of finding ways to accomplish this that is
trustworthy for all of the participants.

 - Dennis

-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net] 
Sent: Tuesday, October 25, 2011 12:30
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

Hi Pedro,

On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote:

> I am not in the PPMC specifically to avoid participating in this type of
> discussions, but I have to say this, just IMHO:

I appreciate your decision to focus on the code. Project management keeps pulling me away
from code ... for too many years.

> 
> I fail to understand why the ASF is not considered neutral, deep
> inside I think the reason is simply because this year we got a bigger
> toy in our Christmas tree that they wanted. Hope I am wrong.

Michael Meeks and Florian have been explicit today that openoffice.org as a destination is
not considered neutral by the TDF.

I haven't explicitly asked if an apache.org address is not sufficiently neutral ... I suspect
not.

I think about this as a branding decision by TDF about LO and not our business.

> We owe to our millions of users out there to maintain our own security
> channels and we cannot delegate them to a third party. Looking for
> an unrelated domain to handle our issues is like giving your children
> to your neighbors so they educate them "impartially".

There should be no doubt that ooo-security@i.a.o will remain as the project's security list.

If there is a meta-list for security for all of the peers in the OOo / LO and the rest community.
This is some confederation that shares security issues in a private manner between peers.
The peers have the mutual interest of their communities in mind.

> 
> If there is no interest in bringing the code bases together I think there
> Is not much to gain on a shared security list on the long run.

There is a need for co-operation regardless of the code divergence. The code will retain significant
commonality. The ODF format is a standard. There will be common security issues.

One could argue that the such co-operative lists should include all of the Microsoft Office
community as well. Both LO and OOo implement OOXML and the binary MS Office formats. I won't
because I suspect that it is a bridge too far.

Regards,
Dave

> 
> Pedro.


Mime
View raw message