incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <...@shanecurcuru.org>
Subject Re: PMC report for October 2011
Date Wed, 12 Oct 2011 13:04:32 GMT
On 10/12/2011 8:51 AM, Rob Weir wrote:
> On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler
> <rgardler@opendirective.com>  wrote:
>> Before I sign off I'd like to see the report address external
>> communications explicitly.
>>
>> The project has a real problem right now with asserting itself as the
>> OpenOffice.org project and defining how it will interact with
>> downstream projects. Is the community going to take ownership of this?
>>
>> It would be nice to see a statement from the PPMC making it explicit
>> what they wish to tackle and, where possible, how. For example, after
>> a flurry of discussion about improved security reporting processes and
>> collaboration opportunities is the PPMC going to deliver or will this
>> just die down and go away?
>>
>
> In that other long thread -- and it is understandable if you missed
> this -- I said:
>
> "I think it would be good if the PPMC wanted to express to the
> ooo-security members that they want us to make security collaboration
> with TDF/LO a priority and to make every effort to share all
> appropriate information with TDF/LO.  I'd support that.  This could be
> solemnized by having a few Apache members, maybe mentors, affirm that
> they will make an effort to monitor that ooo-security list and to
> escalate to the AOOo PPMC is there is any backsliding on this."

I'm not sure what you're actually asking here.  "ooo-security members" 
should be the people the PPMC appoints/approves there (and potentially 
anyone that the central Apache security@ team appoints), so it seems 
like you're talking about yourselves there.  Who else is there between 
the ooo-security@ list and the PPMC?

Yes, I agree that efforts should be made to responsibly share security 
issues with technically related projects.  This should be a default; 
while it's certainly good to bring it up, if there was anyone here who 
wasn't clear on the idea that Apache projects *must* take security 
seriously, then... well, then they should change their expectations.

Security in Apache products - and properly handling reports and 
*responsibly* disclosing issues - is a mandatory feature.  If the PPMC 
does have specific questions on best Apache practices, then security@ is 
the place to go.

> So I'm proposing that a couple Apache members step up to the plate on
> this as well.  What do you say?

The point of incubation is to show a healthy community that manages 
itself.  So I'm looking to the PPMC to be handling this yourselves. 
That said, trying to attract new contributors - especially ones who are 
familiar with the Apache Way - is always a good idea.

I certainly plan to review the ooo-security@ list periodically to see 
how it's operating, as a mentor, but currently that's to prove to myself 
that the project's members are acting responsibly, not necessarily to do 
the project's work for it.

- Shane


>
> -Rob
>
>
>> NOTE I'm not asking for a full strategy in the report, just a
>> statement indicating whether or not the PPMC feels that it owns these
>> issues. If it doesn't want to own them then who does?
>>
>> Ross
>>
>> On 7 October 2011 15:33, Shane Curcuru<asf@shanecurcuru.org>  wrote:
>>> Tip: the board always appreciates well written reports that follow these
>>> reporting guidelines:
>>>
>>>   http://www.apache.org/foundation/board/reporting
>>>
>>> - Shane
>>>
>>> On 10/5/2011 8:05 PM, Alexandro Colorado wrote:
>>>>
>>>> Added some items for the October report for OOo. Feel free to chip in.
>>>>
>>>> http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10
>>>>
>>>
>>
>>
>>
>> --
>> Ross Gardler (@rgardler)
>> Programme Leader (Open Development)
>> OpenDirective http://opendirective.com
>>

Mime
View raw message