incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 17:22:09 GMT
Hi Michael,

On Oct 25, 2011, at 9:35 AM, Michael Meeks wrote:

> Hi Dave,
> 	First - thanks for being so reasonable :-) it is rather refreshing to
> talk details in a pleasant fashion.

You are welcome! I'm looking for common ground and I am trying to listen to logic.

> On Tue, 2011-10-25 at 08:24 -0700, Dave Fisher wrote:
>> However, this is moot (does not matter) if the address is not in
>> a domain that the ASF is responsible.
> 	Fair enough, seems we're on the same page here then.
>>> 	I would not have a process - we should just include everyone competent
>>> who has a reason to be there; that is normally fairly easy to work out
>>> relationally; if not the moderators can thrash it out. If it is a
>>> multi-vendor, neutral list I don't envisage controversy there.
>> I don't either. My thought was to give individuals / peer projects time to
>> appear. If they are welcomed gladly by the list after the list's
>> establishment then no troubles.
> 	Sure - I suspect pre-populating with the previous guys, adding a few
> more interested & relevant parties and so on would be fine.
>> I think it would help to have a single ML and I think that is more 
>> important than the address.
> 	Completely agreed.
>> can be made to forward to that address
>> if necessary.
> 	Sure.
>> It would be good for the AOOo PPMC to see this list as well. I think
>> that the actual membership should be shared in private. Would someone
>> with appropriate karma on the OOo MLs please provide this.
> 	That'd be Rob or Malte or Martin? I suspect.

One or more of those three I think. Membership is a side issue from the plan.

>> You suggested:
> 	Yep, luckily it is not created just yet.
>> The comment was that this was not an appropriate domain name as not
>> all of the "Office Space" is Linux. So, the open question is where
>> the list is hosted.
> 	Sure; so freedesktop is chosen only because it happens to be close to
> hand, and more neutral than anything else I could think of in five
> seconds, and less lame than eg. a sourceforge address. I had hoped that
> there would be volunteers with more fun-sounding domains around that
> could host a mailing list. IMHO it doesn't need to have ultra-rocket
> powered security / mail encryption features - the problems are mostly
> rather banal.
>> Martin mentions hosting at Team OpenOffice, but that fails your
>> neutrality test doesn't it?
> 	Gosh - actually, I don't know. It is really not that clear to me where
> Martin & co. stands on these things, though having read his intro mail
> here which seemed (to me) to suggest that TDF should give up & go
> home ;-) I'd tend to agree with that neutrality concern.
> 	Of course, perhaps this is all overblown anyway; if the
> domain was to become something common to, and shared by all those
> distributing binaries based on the code, that might be the neutral place
> we're looking for. Of course, so far its clear to me what the plans are
> for the domain.

We do plan to port to support all the current non AL releases and archives.
It will be branded in a way approved by the ASF removing Oracle logos, etc.

While the AOOo project will control the website content through the Apache SVN, there is no
reason that some of the services couldn't be hosted elsewhere. The main requirements
would be OOo branding and nominal AOOo oversight.

> 	So where does that leave us ? one approach that hasn't been discussed
> (and is perhaps a good compromise) - is for me to go ahead and setup the
> list @freedesktop, and for you guys to advertise the @ooo alias on your
> pages, and us to advertise the freedesktop one on ours.
> 	That'd give a neutral venue, name, back-compat, no need to use the
> freedesktop brand for AOOoI etc.
> 	What do you think ?

I think we are getting somewhere. The last detail is which is the real ML and which is the
forwarder. While the AOOo project might prefer to have that be the original securityteam@oo.o
the best choice is really technical.

Let's think about the operation from the point of view of the user who sends a report to this
two headed list. By default when a reply is sent it will have a reply-to from the real ML.
If the user sent the message to the forwarding ML they may be confused (and upset.)

I think where the real shared securityteam ML exists should be determined by the flexibility
in handling this situation. Ideally the user should feel that they are conversing with the
ML they think they are sending to.

In the absence of such flexibility from a ML host then clear instructions on the site that
links to the forwarding ML should be enough.

The simplest solution would be for TDF to setup a forwarder to the existing securityteam@oo.o.
I suspect the best solution might be the other way, but would need to know the provider and
what special services they have.


> 	Thanks,
> 		Michael
> -- 
>  <><, Pseudo Engineer, itinerant idiot

View raw message