incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 15:24:17 GMT
Hi Michael,

On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:

> Hi Dave,
> 
> On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
>> Not sure how much this is like your original proposal, but maybe the
>> following is acceptable:
>> 
>> (1) The securityteam@openoffice.org continues.
> 
> 	As mentioned, not happy about an openoffice.org domain; LibreOffice is
> not openoffice.org, that is not really neutral.

Understood. It is a requirement for a neutral address. On our side it is a desire for the
same address

>> (2) The membership of securityteam ML should be open to individuals
>> and forks/"downstreams" as selected by the ML membership.
> 
> 	Fine - though I'd characterise AOOoI as a fork too if this
> is used as a loaded term.

Not meant to be "loaded". As in another email exchange with Simon, PEER relationships without
regard to perceived historical relationships.

> 
>> (3) The securityteam ML moderators are selected from the
>> individual membership of the securityteam ML.
> 
> 	Fine.
> 
>> (4) The securityteam ML is nominally under the governance of the
>> ASF - either the AOOo podling PPMC, the Apache Security Team, or
>> even the Foundation Board. I think the AOOo podling PPMC should
>> be acceptable, but we can ask the other entities if that is not
>> is not neutral enough. We may ask the TDF to neutrally host some
>> component and it would make sense for each entity to trust the
>> neutrality of the other entity (Rob's real point).
> 
> 	Totally un-acceptable, I'm sorry. The Apache project is by no means
> neutral. The decision to take on AOOoI and the actions of that project
> are its responsibility.

By nominally I meant only the minimum required by any responsible host who opens their facilities
to the public.

However, this is moot (does not matter) if the address is not in a domain that the ASF is
responsible.

>> (5) No iCLAs are required.
> 
> 	Of course.
> 
>> (6) A set point for membership is determined when at least
>> AOOo, TDF, and any other OOo fork/"downstreams" who might
>> appear within a reasonably short time period. The deadline
>> would need to be agreed.
> 
> 	I would not have a process - we should just include everyone competent
> who has a reason to be there; that is normally fairly easy to work out
> relationally; if not the moderators can thrash it out. If it is a
> multi-vendor, neutral list I don't envisage controversy there.

I don't either. My thought was to give individuals / peer projects time to appear. If they
are welcomed gladly by the list after the list's establishment then no troubles.

> 
>> (7) The securityteam@openoffice.org ML will be hosted by the
>> ASF when the MX for openoffice.org is moved to ASF Infrastructure.
> 
> 	Hosting by the ASF is by no means ideal, but perhaps compromise here is
> reasonable.
> 
>> I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?
> 
> 	We built our own new infrastructure for that.

Good for LO. More for AOOo to cleanup...

> 
> 	So - I am still fairly firmly convinced that this security thing is not
> going to pan out. Here is my potted history of it:
> 
> 	* initial request for continuing the traditional,
> 	  friendly cross membership of security lists
> 		+ turned down at AOOoI: Apache Committers only
> 	* requests for a neutral list with neutral name turn into:
> 		+ ASF & openoffice.org -are-neutral-; proof by assertion
> 	* more compromise proposals arrive
> 		+ these have high level ASF governance hard-wired

I can see how you would perceive the history this way.

I think it would help to have a single ML and I think that is more important than the address.
securityteam@openoffice.org can be made to forward to that address if necessary.

> 	This doesn't make it seem like we're going anywhere productive, which
> is fine - there is no huge problem with having two separate public
> facing security lists that can have cross membership on them.
> 
> 	Since there is no TDF affiliated admin for the currently suggested,
> Apache controlled, 'neutral' security list, extracting a membership list
> of that would be appreciated - so we can mirror it in a suitable other
> place.

It would be good for the AOOo PPMC to see this list as well. I think that the actual membership
should be shared in private. Would someone with appropriate karma on the OOo MLs please provide
this.

> 	I'm also minded to consider the relative grief of endlessly re-hashing
> this issue vs. actually fixing whatever bugs are found. Can we not just
> move on.

You suggested: officesecurity@lists.freedesktop.org

The comment was that this was not an appropriate domain name as not all of the "Office Space"
is Linux. So, the open question is where the list is hosted.

Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't it?

Regards,
Dave


> 
> 	All the best,
> 
> 		Michael.
> 
> -- 
> michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot
> 


Mime
View raw message