incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <...@shanecurcuru.org>
Subject Re: [proposal] Neutral / shared security list ...
Date Wed, 26 Oct 2011 13:06:55 GMT
I also have to say - similar to what Dennis said - that if we're making 
a specific proposal for ways to address security concerns that it 
absolutely needs to be in a new thread, with a clear title and a clear 
and detailed proposal.

There are far too many threads going on for enough people in the PPMC to 
be able to have a good understanding of all of them.

Also, 72 hours is the minimum for seeking lazy consensus.  For something 
as important as security, I might suggest giving it a longer time.

- Shane

On 10/25/2011 6:44 PM, Dennis E. Hamilton wrote:
> Dave, if you are going to do that, just relabeling a thread is not helpful.
>
> Please compose a specific concrete proposal under a [DISCUSS], and announce the duration
and end-time for a lazy consensus at the top.
>
> Give it at least 3 full 24-hour calendar days.
>
> I don't have any sense that there is alignment yet, but there may be in that time and
I am happy to be mistaken.  Then at the end, if there is a consensus, please report what it
is.
>
>   - Dennis
>
> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Tuesday, October 25, 2011 15:35
> To: ooo-dev@incubator.apache.org
> Cc: floeff@documentfoundation.org
> Subject: Re: [proposal] Neutral / shared security list ...
>
> Hi -
>
> Sorry to reply to myself.
>
> Even though there are choices in this email. Please view it as a proposal. Where we are
seeking lazy consensus.
>
> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
>
>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
>>
>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher<dave2wave@comcast.net>  wrote:
>>>
>>>>
>>>> Agreed. We need to pick a neutral domain name. office-security.org is
>>>> apparently free.
>>>>
>>>> Some institution needs to buy domain registration. I've been the volunteer
>>>> registrar for a social groups domain, it is a pain to transition. This needs
>>>> to be an institution, it could be Team OOo?
>>>>
>>>
>>> I think they are too close to the matter.  SPI exists specifically to hold
>>> assets in trust - perhaps they would hold the registration for us all?  If
>>> we agree I'd be happy to volunteer to contact them.
>>>
>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are both
>>> on the Board at present.
>>
>> These are both interesting ideas.
>
> The proposal is to pick a domain and get registration  Simon volunteers to help.
>
>
>>
>>>
>>>
>>>>
>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests
>>>> that the ASF could be that ISP for free.
>>
>> <slight snip/>
>>
>> And:
>>
>> <insert>
>>
>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
>>
>> <snip/>
>>
>>>
>>> If we basically agree that such a list as outlined by me is a way to go, I am
happy to ask a friend of mine who has a very good reputation in being a mail server, mailing
list and security expert, with a very good track record, including all sorts of certifications.
He is offering e-mail services as business.
>>>
>>> I just don't want to spread the name publically without asking him first, and
I don't want to ask him, before we have some common understanding. :-)
>>>
>>
>>
>> </insert>
>
> The proposal is for the exiting securityteam to choose, the above are two possibilities.
>
>
>>
>>
>>>>
>>>> securityteam@oo.o is migrated to whatever the new list is, and those
>>>> people start administrating.
>>>>
>>>> I think it is very important for the public to know who all of the projects
>>>> are on the shared ML.
>
> I propose that this shared security team provide a list of participating peers to the
public.
>
>>>>
>>>> Are we done already :-)
>>
>> Let's let the world revolve to see if we have some Consensus.
>
> Revolve 3x or 72 hours.
>
> Regards,
> Dave
>
>>
>> Regards,
>> Dave
>>
>>>>
>>>> Regards,
>>>> Dave
>>>>
>>>>>
>>>>> That is fair to anyone, does not exclude anyone, does not benefit one
>>>>> over the other -- it's easy, simple, and the best way to go. Sure,
>>>>> everyone can create own aliases pointing to that list, but the core is
>>>>> the same, and that's what matters.
>>>>>
>>>>> If you folks now start complaining about we don't trust Apache, we can
>>>>> answer by complaining you don't trust TDF and so on. It's a horrible
>>>>> waste of time, it's lame, it does not help anyone, and it makes me doubt
>>>>> we're talking amongst adults, seriously.
>>>>>
>>>>> And, really, all this crap being tossed around about trustworthiness,
>>>>> upstream, downstream, code similarities and insults is worth not even
>>>>> the digital paper it's written on.
>>>>>
>>>>> I made a simple, plain, and easy proposal. Don't make things overly
>>>>> complicated, folks.
>>>>>
>>>>> Thanks for considering,
>>>>> Florian
>>>>>
>>>>> --
>>>>> Florian Effenberger<floeff@documentfoundation.org>
>>>>> Steering Committee and Founding Member of The Document Foundation
>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
>>>>> Skype: floeff | Twitter/Identi.ca: @floeff
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Simon Phipps
>>> +1 415 683 7660 : www.webmink.com
>>
>

Mime
View raw message