incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <>
Subject Re: Vulnerability fixed in LibreOffice
Date Thu, 06 Oct 2011 15:07:46 GMT
Wow, has this thread not gone anywhere, nor been as polite as I'd hope.


Fundamentally, the ASF has delegated responsibility for all future 
Apache OpenOffice releases to the Apache OpenOffice PPMC.  I believe and 
support them having a private security@ list that only PPMC members are 
allowed to subscribe to, to accept reports of vulnerabilities and to 
make plans to address them in ASF releases.

The issue is, what to do with security issues raised about *previous* 
releases of software - something that normally we'd all 
look to Oracle and the previous Security Team of to fix, 
but in this case, we need to at least attempt to address them ourselves 
(hopefully, jointly).

I think we've completely lost sight of "B", a place where Apache 
OpenOffice PPMC members and trusted others of related projects can work 
together.  Given the interrelationships of code between OpenOffice and 
LibreOffice and others, I would definitely vote to use or host an 
officesecurity@somedomain private list where *any* existing members of 
an OOo related security team would all be allowed to subscribe and work 
on issues in conjunction.

Personally, I'd suggest using the existing 
for this purpose of "B", because it's already well known, and uses the domain (which will be hosted by the ASF in the future). 
The Apache-specific list would be the existing list, which would be open only to ASF 
committers that the Apache OpenOffice PPMC approves.

But that's just my (non-binding) vote.  But I'd definitely like to see 
more organized cooperation here in terms of capturing and sharing basic 
information about security fixes.

And in terms of IP, I would hope that any participants in the (future) 
joint securityteam@oo.o list would agree explicitly to mail only 
AL-licensed code to that list, ensuring that the Apache OpenOffice 
podling could use it in a release.

- Shane

On 10/6/2011 10:38 AM, Florian Effenberger wrote:
> Hi,
> J├╝rgen Schmidt wrote on 2011-10-06 14:40:
>> My idea is to simply use the existing
>> <> list for
>> collaborative work on this topic. LibreOffice has also a separate
>> security
>> list, right. So i don't see your point here.
> I proposed that, Rob Weir refused to continue with the existing
> contacts, telling things at Apache were different.
> Ping me when you folks have sorted out your issues.
> Florian

View raw message