incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Meeks <michael.me...@suse.com>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 10:47:31 GMT
Hi Dave,

On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
> Not sure how much this is like your original proposal, but maybe the
> following is acceptable:
> 
> (1) The securityteam@openoffice.org continues.

	As mentioned, not happy about an openoffice.org domain; LibreOffice is
not openoffice.org, that is not really neutral.

> (2) The membership of securityteam ML should be open to individuals
> and forks/"downstreams" as selected by the ML membership.

	Fine - though I'd characterise AOOoI as a fork too if this
is used as a loaded term.

> (3) The securityteam ML moderators are selected from the
> individual membership of the securityteam ML.

	Fine.

> (4) The securityteam ML is nominally under the governance of the
> ASF - either the AOOo podling PPMC, the Apache Security Team, or
> even the Foundation Board. I think the AOOo podling PPMC should
> be acceptable, but we can ask the other entities if that is not
> is not neutral enough. We may ask the TDF to neutrally host some
> component and it would make sense for each entity to trust the
> neutrality of the other entity (Rob's real point).

	Totally un-acceptable, I'm sorry. The Apache project is by no means
neutral. The decision to take on AOOoI and the actions of that project
are its responsibility.

> (5) No iCLAs are required.

	Of course.

> (6) A set point for membership is determined when at least
> AOOo, TDF, and any other OOo fork/"downstreams" who might
> appear within a reasonably short time period. The deadline
> would need to be agreed.

	I would not have a process - we should just include everyone competent
who has a reason to be there; that is normally fairly easy to work out
relationally; if not the moderators can thrash it out. If it is a
multi-vendor, neutral list I don't envisage controversy there.

> (7) The securityteam@openoffice.org ML will be hosted by the
> ASF when the MX for openoffice.org is moved to ASF Infrastructure.

	Hosting by the ASF is by no means ideal, but perhaps compromise here is
reasonable.

> I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?

	We built our own new infrastructure for that.

	So - I am still fairly firmly convinced that this security thing is not
going to pan out. Here is my potted history of it:

	* initial request for continuing the traditional,
	  friendly cross membership of security lists
		+ turned down at AOOoI: Apache Committers only
	* requests for a neutral list with neutral name turn into:
		+ ASF & openoffice.org -are-neutral-; proof by assertion
	* more compromise proposals arrive
		+ these have high level ASF governance hard-wired

	This doesn't make it seem like we're going anywhere productive, which
is fine - there is no huge problem with having two separate public
facing security lists that can have cross membership on them.

	Since there is no TDF affiliated admin for the currently suggested,
Apache controlled, 'neutral' security list, extracting a membership list
of that would be appreciated - so we can mirror it in a suitable other
place.

	I'm also minded to consider the relative grief of endlessly re-hashing
this issue vs. actually fixing whatever bugs are found. Can we not just
move on.

	All the best,

		Michael.

-- 
michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot


Mime
View raw message