incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <>
Subject Re: [Proposal] Security coordination without a shared list
Date Tue, 25 Oct 2011 17:29:17 GMT

I'd like to actually try to work out the shared list situation with a sincere spirit of mutual
understanding, listening and co-operation.

On Oct 25, 2011, at 9:08 AM, Rob Weir wrote:

> There is an easy way to avoid all the trust issues with regards to
> shared mailing lists.  Don't have such a list.  Trust individuals.
> This proposal takes this approach.
> 1) The AOOo PMC solicits the names of security contacts from related
> projects who wish to be consulted related to pre-disclosure
> coordination related to analysis and resolution of reported security
> vulnerabilities.  Names of individuals are preferred over opaque
> mailing lists.  Trust can be established based on a PGP/GPG web of
> trust.  These names and addresses are stored confidentially in the
> PPMC's private SVN directory.

Do you have software that actually exists that does this? Who is going to build this?

> 2) The AOOo security team reaches out to these contacts, as
> appropriate,v ia their preferred contact mechanism,  to coordinate on
> specific vulnerabilities.  We (Apache) would cc ooo-security on our
> external emails, as required by Apache policy [1].

Replies would not necessarily be cc'd to ooo-security and that would be a problem.

> 3) Other groups would be encouraged to reach out to AOOo in similar
> circumstances via our preferred contact mechanism, ooo-security.
> 4) This fully allows targeted collaboration on specific issues, via
> each project's preferred contact mechanism,  without requiring the
> maintenance of an additional email list.
> 5)  If we want to discuss security in general, then that can/should
> happen on public dev lists.    That public discussion could occur
> anywhere.
> [1]:

Time to be productive today.


View raw message