incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: [proposal] Neutral / shared security list ...
Date Wed, 26 Oct 2011 00:03:24 GMT

On Oct 25, 2011, at 4:43 PM, Rob Weir wrote:

> On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher <dave2wave@comcast.net> wrote:
>> 
>> On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:
>> 
>>> On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
>>> <dennis.hamilton@acm.org> wrote:
>>>> Oh, and the most important part:
>>>> 
>>>> In want way is the AOOo party to the consensus that is reached?  That ooo-security
(an agent of the PPMC, essentially) will participate in the described community arrangement
if established? Something else?
>>>> 
>>> 
>>> It would be good to also include in the proposal how IP will be
>>> treated.  By my reading of the iCLA this would not be covered, since
>>> it is not an Apache list.  We'd need to make some other agreement,
>>> take it to legal-discuss, etc.
>> 
>> I'm not so sure.
>> 
> 
> Think of it this way: where else at Apache is it permissible for an
> Incubation project to collaborate on project code on a private
> non-Apache list, with no agreement on license, no mentor visibility,
> and no audit trail for Apache members to inspect?  This doesn't sound
> like the kind of diligence Apache projects traditionally give to IP
> issues everywhere else.  We owe it to our users and ourselves to get
> this right.

We only care about the code that actually makes it into AOOo. Only ooo-security members will
be committing code fixes for AOOo security issues.

> 
>> ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible.
If the shared security group is not producing compatible IP in response to a security threat
that is a different problem. If it happens often then ooo-security will need to discuss this
with ooo-private.
>> 
> 
> Putting the responsibility on ooo-security members in such an
> untenable situation will only lead to the resignation of ooo-security
> members.  I think we need some way to enforce this.

If it becomes a problem then we deal with it on ooo-private as a community problem. Either
we'll need more PPMC on ooo-security or there will be a tangible issue to resolve.

> 
> From what I'm reading, not even Apache committers who have signed the
> iCLA are bound to the iCLA for contributions made on some ad-hoc,
> private, non-Apache list.

So?

>> We can make it a mission statement of this group to help all the peers produce fixes
that are compatible with their licenses. I don't think we can guarantee all individuals on
the team will be able to always do so. Requiring such an affirmation is clearly a blocker
for some individual's participation.
>> 
> 
> I think then we need to weight having a smashing fun party with LO
> hackers in a private, unauditable list with no license discipline
> versus Apache's primary mission of producing software for public use
> under the Apache 2.0 license.

Code through Community. I'm trying to find a way to keep the larger community together.

You are asserting that the list will be unauditable when the ASF is still a possible "ISP"?

You are asserting a "smashing fun party" problem that is not visible to me.

> 
> The alternative is to step back, realize that Florian has confused
> what the PPMC position is on securityteam participation and take that
> route.  Since that would be an Apache list, AOOo committers would
> already be covered. And we could cover the remaining users via a Terms
> of Use statement for the list.

I'm trying to get there, but let's not forget that others have raised the "domain neutrality"
requirement.

Regards,
Dave

> 
> -Rob
> 
>> Regards,
>> Dave
>> 
>>> 
>>>> I think that would be essential to bringing this to a successful conclusion.
>>>> 
>>>> -----Original Message-----
>>>> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
>>>> Sent: Tuesday, October 25, 2011 15:45
>>>> To: 'ooo-dev@incubator.apache.org'
>>>> Cc: 'Dave Fisher'
>>>> Subject: RE: [proposal] Neutral / shared security list ...
>>>> 
>>>> Dave, if you are going to do that, just relabeling a thread is not helpful.
>>>> 
>>>> Please compose a specific concrete proposal under a [DISCUSS], and announce
the duration and end-time for a lazy consensus at the top.
>>>> 
>>>> Give it at least 3 full 24-hour calendar days.
>>>> 
>>>> I don't have any sense that there is alignment yet, but there may be in that
time and I am happy to be mistaken.  Then at the end, if there is a consensus, please report
what it is.
>>>> 
>>>>  - Dennis
>>>> 
>>>> -----Original Message-----
>>>> From: Dave Fisher [mailto:dave2wave@comcast.net]
>>>> Sent: Tuesday, October 25, 2011 15:35
>>>> To: ooo-dev@incubator.apache.org
>>>> Cc: floeff@documentfoundation.org
>>>> Subject: Re: [proposal] Neutral / shared security list ...
>>>> 
>>>> Hi -
>>>> 
>>>> Sorry to reply to myself.
>>>> 
>>>> Even though there are choices in this email. Please view it as a proposal.
Where we are seeking lazy consensus.
>>>> 
>>>> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
>>>> 
>>>>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
>>>>> 
>>>>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <dave2wave@comcast.net>
wrote:
>>>>>> 
>>>>>>> 
>>>>>>> Agreed. We need to pick a neutral domain name. office-security.org
is
>>>>>>> apparently free.
>>>>>>> 
>>>>>>> Some institution needs to buy domain registration. I've been
the volunteer
>>>>>>> registrar for a social groups domain, it is a pain to transition.
This needs
>>>>>>> to be an institution, it could be Team OOo?
>>>>>>> 
>>>>>> 
>>>>>> I think they are too close to the matter.  SPI exists specifically
to hold
>>>>>> assets in trust - perhaps they would hold the registration for us
all?  If
>>>>>> we agree I'd be happy to volunteer to contact them.
>>>>>> 
>>>>>> It's also possible we could ask OSI to do it - Jim Jagielski and
I are both
>>>>>> on the Board at present.
>>>>> 
>>>>> These are both interesting ideas.
>>>> 
>>>> The proposal is to pick a domain and get registration  Simon volunteers to
help.
>>>> 
>>>> 
>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> An ISP for hosting the private ML needs to be selected. Dennis
suggests
>>>>>>> that the ASF could be that ISP for free.
>>>>> 
>>>>> <slight snip/>
>>>>> 
>>>>> And:
>>>>> 
>>>>> <insert>
>>>>> 
>>>>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
>>>>> 
>>>>> <snip/>
>>>>> 
>>>>>> 
>>>>>> If we basically agree that such a list as outlined by me is a way
to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server,
mailing list and security expert, with a very good track record, including all sorts of certifications.
He is offering e-mail services as business.
>>>>>> 
>>>>>> I just don't want to spread the name publically without asking him
first, and I don't want to ask him, before we have some common understanding. :-)
>>>>>> 
>>>>> 
>>>>> 
>>>>> </insert>
>>>> 
>>>> The proposal is for the exiting securityteam to choose, the above are two
possibilities.
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>>>> 
>>>>>>> securityteam@oo.o is migrated to whatever the new list is, and
those
>>>>>>> people start administrating.
>>>>>>> 
>>>>>>> I think it is very important for the public to know who all of
the projects
>>>>>>> are on the shared ML.
>>>> 
>>>> I propose that this shared security team provide a list of participating
peers to the public.
>>>> 
>>>>>>> 
>>>>>>> Are we done already :-)
>>>>> 
>>>>> Let's let the world revolve to see if we have some Consensus.
>>>> 
>>>> Revolve 3x or 72 hours.
>>>> 
>>>> Regards,
>>>> Dave
>>>> 
>>>>> 
>>>>> Regards,
>>>>> Dave
>>>>> 
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Dave
>>>>>>> 
>>>>>>>> 
>>>>>>>> That is fair to anyone, does not exclude anyone, does not
benefit one
>>>>>>>> over the other -- it's easy, simple, and the best way to
go. Sure,
>>>>>>>> everyone can create own aliases pointing to that list, but
the core is
>>>>>>>> the same, and that's what matters.
>>>>>>>> 
>>>>>>>> If you folks now start complaining about we don't trust Apache,
we can
>>>>>>>> answer by complaining you don't trust TDF and so on. It's
a horrible
>>>>>>>> waste of time, it's lame, it does not help anyone, and it
makes me doubt
>>>>>>>> we're talking amongst adults, seriously.
>>>>>>>> 
>>>>>>>> And, really, all this crap being tossed around about trustworthiness,
>>>>>>>> upstream, downstream, code similarities and insults is worth
not even
>>>>>>>> the digital paper it's written on.
>>>>>>>> 
>>>>>>>> I made a simple, plain, and easy proposal. Don't make things
overly
>>>>>>>> complicated, folks.
>>>>>>>> 
>>>>>>>> Thanks for considering,
>>>>>>>> Florian
>>>>>>>> 
>>>>>>>> --
>>>>>>>> Florian Effenberger <floeff@documentfoundation.org>
>>>>>>>> Steering Committee and Founding Member of The Document Foundation
>>>>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
>>>>>>>> Skype: floeff | Twitter/Identi.ca: @floeff
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Simon Phipps
>>>>>> +1 415 683 7660 : www.webmink.com
>>>>> 
>>>> 
>>>> 
>> 
>> 


Mime
View raw message