incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kay Schenk <kay.sch...@gmail.com>
Subject Re: [Proposal] Security coordination without a shared list
Date Tue, 25 Oct 2011 19:28:43 GMT


On 10/25/2011 09:08 AM, Rob Weir wrote:
> There is an easy way to avoid all the trust issues with regards to
> shared mailing lists.  Don't have such a list.  Trust individuals.
> This proposal takes this approach.

Actually I personally like this idea. Why? There have been many 
statements/testimonies to the fact that the LO  contains a great deal of 
code that is NOT in any of the OOo releases, and is now quite different. 
And, presumably, the LO development will continue to be different enough 
to warrant it's own separate universe of mailing lists. I think at some 
point if we decided we really truly wanted to have a shared security 
list, it would become very difficult to determine who was the 
responsible party for the grievances. I might be exaggerating the 
problems since I'm not a developer, but, then again, maybe not.

So, although I'd love to see us work more closely with LO, I believe 
separate security lists are in order.

>
> 1) The AOOo PMC solicits the names of security contacts from related
> projects who wish to be consulted related to pre-disclosure
> coordination related to analysis and resolution of reported security
> vulnerabilities.  Names of individuals are preferred over opaque
> mailing lists.  Trust can be established based on a PGP/GPG web of
> trust.  These names and addresses are stored confidentially in the
> PPMC's private SVN directory.
>
> 2) The AOOo security team reaches out to these contacts, as
> appropriate,v ia their preferred contact mechanism,  to coordinate on
> specific vulnerabilities.  We (Apache) would cc ooo-security on our
> external emails, as required by Apache policy [1].
>
> 3) Other groups would be encouraged to reach out to AOOo in similar
> circumstances via our preferred contact mechanism, ooo-security.
>
> 4) This fully allows targeted collaboration on specific issues, via
> each project's preferred contact mechanism,  without requiring the
> maintenance of an additional email list.
>
> 5)  If we want to discuss security in general, then that can/should
> happen on public dev lists.    That public discussion could occur
> anywhere.
>
>
> [1]: http://www.apache.org/security/committers.html

-- 
------------------------------------------------------------------------
MzK

"This is no social crisis
  Just another tricky day for you."
                  -- "Tricky Day", the Who

Mime
View raw message