incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <...@shanecurcuru.org>
Subject Re: [Proposal] Security coordination without a shared list
Date Wed, 26 Oct 2011 12:32:50 GMT
If this is what the AOOo PPMC ends up deciding, what happens to the 
specific securityteam@ email address?

Given that it's already plastered over the web, I think it would be 
useful to have it forward to ooo-security@, so that at least the 
relevant AOOo security experts can get any reports that go there, and 
can ensure they inform any other relevant parties by your method below.

- Shane

On 10/25/2011 12:08 PM, Rob Weir wrote:
> There is an easy way to avoid all the trust issues with regards to
> shared mailing lists.  Don't have such a list.  Trust individuals.
> This proposal takes this approach.
>
> 1) The AOOo PMC solicits the names of security contacts from related
> projects who wish to be consulted related to pre-disclosure
> coordination related to analysis and resolution of reported security
> vulnerabilities.  Names of individuals are preferred over opaque
> mailing lists.  Trust can be established based on a PGP/GPG web of
> trust.  These names and addresses are stored confidentially in the
> PPMC's private SVN directory.
>
> 2) The AOOo security team reaches out to these contacts, as
> appropriate,v ia their preferred contact mechanism,  to coordinate on
> specific vulnerabilities.  We (Apache) would cc ooo-security on our
> external emails, as required by Apache policy [1].
>
> 3) Other groups would be encouraged to reach out to AOOo in similar
> circumstances via our preferred contact mechanism, ooo-security.
>
> 4) This fully allows targeted collaboration on specific issues, via
> each project's preferred contact mechanism,  without requiring the
> maintenance of an additional email list.
>
> 5)  If we want to discuss security in general, then that can/should
> happen on public dev lists.    That public discussion could occur
> anywhere.
>
>
> [1]: http://www.apache.org/security/committers.html

Mime
View raw message