incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Vulnerability fixed in LibreOffice
Date Thu, 06 Oct 2011 13:00:35 GMT

On 6 Oct 2011, at 13:22, Florian Effenberger wrote:
> Dirk-Willem van Gulik wrote on 2011-10-06 14:14:
>> Furthermore - there is nothing stopping you from having a knownsecurity@ group more
focused on security - and having this as your first (more public) port of call.
> 
> for years, there has been security@ooo. That group knows each other very well, has been
working together in trust for many years, and not only I proposed here on this list to continue
working the way it was before, since security is an area where we can work together closely
apart from any "political" issues.

Good. So you have an excellent starting point. And know that this type of sharing is very
common already.

> However, I was told several times, that this is not desired

Reading the exchanges - I think language was getting in the way of things. As I tried to outline
- there are a few aspects pertaining to oversight which need to be met (by any foundation
- and the US makes some of that a lighter touch, than, say, the legal system of the Netherlands
would allow a 'stichting' or 'vereniging'). But beyond that - there is freedom.

I can easily imagine a group of committers doing initial follow and triage around security@$project.apache.org
- who have a very routine, very trusted and deep relation with other security groups outside
the ASF and vice versa. And I'd expect that you'd quickly gravitate towards joint advisories
and similar when appropriate. If that means that an MoU is needed - well that would be a first
- but not something you should reject out of hand.

Meanwhile the ASF will always be responsible, accountable and needs to show it is in full
control of each and every bit which goes out as a release - and we (mostly) do that by ingress
control on our version control system. So CLA's are important. And the board will expect that
the PMC maintains proper oversight. 

It is such a key part of a release and our responsibility that one cannot easily 'farm this
out'.

Dw
Mime
View raw message