incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Neutral / shared security list ...
Date Wed, 19 Oct 2011 21:56:03 GMT
It is a little difficult to figure out where to reply on this thread, but I am 
mostly aligned with Shane and the response from Simon.


First, since the earlier conversation and the exchange that Michael Meeks 
mentions in his restart of this thread today, Martin Hollmichel added Rob Weir 
as an additional moderator on securityteam@ OO.o.  I privately requested being 
added to that list as a subscriber so that there is more coverage from 
ooo-security@ i.a.o, although I don't know if that has been accomplished.

Also, ooo-security@ i.a.o is subscribed to securityteam@ OO.o.  So, there is a 
way to receive everything that goes to securityteam@ and there are enough of 
us who should be able to ensure that anything of mutual importance that 
ooo-security@ learns of can be reported to securityteam@.

There is now a degree of shared oversight on the securityteam@ list that 
should work going forward as tuning is done.

I believe this is preferable to making a new place and having to construct a 
new securityteam, for many reasons including the security of securityteam@ 


The preceding steps were taken around October 10-13 on the urging of Apache 
mentor(s) that action had been delayed too long and the cross-connection on 
common territory needed to be cleaned up ASAP.  I think that's been 
accomplished well enough for now.

This does raise some issues.

First, perpetuation of securityteam@ OO.o depends on preservation of that 
e-mail list and its operation when the domain comes under 
Apache custody.  If, instead, securityteam@ OO.o has to be abandoned, an 
alternative community-common location will have to be created.

If securityteam@ OO.o is preserved, I believe the oversight of security@ and the care of Apache infrastructure is a bonus.  The ASF 
attention to security and commitment to the security and safety of the sites 
in its care is valuable.  It is well-established.  The strength of the 
security@ team is a related bonus.  There is a highly-experienced and 
qualified team in a position to ensure that securityteam@ is secured and also 
operated in a reliable and even-handed way.

I had preferred, myself, that any ASF contribution of moderation and 
administration, along with that provided by others, come from security@ a.o 
rather than anyone on ooo-security @ i.a.o.  I think security@ is more 
credible as a neutral party.  ASF has no issue with how many different office 
suites there are, how many open-source office suite projects there are, and 
what the variety of releases and distributions might be.  So I think it is a 
superior earnest from ASF to have security@ take a hand to ensure that 
security comes first and that competitive instincts will have no influence. 
On the other hand, security@ already has oversight on everything that happens 
on ooo-security, including anything ooo-security receives automatically from 
securityteam@ OO.o.  I think that is good enough, but it might not be 
perceived to be by those who need to be able to trust in securityteam@ OO.o.

If securityteam@ OO.o cannot be preserved, then an alternative arrangement 
will have to be made no matter what.  Then I think it is important that 
Michael Meek's latest proposal be brought to the front.  Even if Apache 
hosting and infrastructure is chosen as a proven way to have assurance of 
available and secure sites and lists, it might be better to not use an domain name for it.

 - Dennis

-----Original Message-----
From: Shane Curcuru []
Sent: Wednesday, October 19, 2011 08:41
Subject: Re: Neutral / shared security list ...

On 10/19/2011 11:28 AM, Simon Phipps wrote:
> On Wed, Oct 19, 2011 at 4:16 PM, Pedro Giffuni<>  wrote:
>>   -1
>> The Apache Foundation *IS* neutral.
>> Beyond the evident open wounds the previous relationship with SUN/Oracle
>> may have left in the community, the domain is the natural
>> reference for longtime users and the developers of the many forks.
> I agree, but the problem is one not of the neutrality of the trademark owner
> but rather the practical neutrality of the administration of the shared
> list.  Is the project happy for the list administration to be shared with
> others outside Apache?
> If so (and if it actually happened!) I would share your vote and re-iterate
> my earlier proposal that be used.
> S.

I'm confident that the Apache security team and specific members of AOOo
PPMC could arrange a suitable adminstration structure to satisfy any
reputable security-minded contributor in the OOo world.  While some of
us may have significant differences elsewhere, I hope (and presume) that
we all take security seriously enough to do it correctly.

And given that the existing s@oo.o email address is already plastered
over archives and search results and millions of user's existing
installs, keeping the same email address is a huge bonus in terms of
capturing security issues from less technical end-users.

In terms of reliability, that should not be an issue once we are hosting
the mailing lists at the ASF and the Apache infra team has full access
to maintain the lists up to the same standards as our other lists.

- Shane

View raw message