incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Phipps <si...@webmink.com>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 00:12:03 GMT

On 25 Oct 2011, at 01:25, Dave Fisher wrote:

> Simon,
> 
> Please don't despair!

:-)   Thanks, Dave. Encouragement accepted and appreciated.

> 
> I think that Rob is getting ahead of the situation. We need to reach a simple agreement
about this single issue before bringing up other obvious places of overlap.  I think we may
really be closer than we think.

I hope so. The private feedback I have heard from some of the TDF committers is they read
the hostility clearly and have proceeded with starting a list as Michael Meeks proposed. I
fear my fence-mending skills may be inadequate at this stage.

> Not sure how much this is like your original proposal,

Strong similarities :-)  My original outline was:
---
"*  That securityteam@openoffice.org be used as the shared meta-community security contact
list for projects deriving their source code from the former Sun-led OpenOffice.org project.
The list would be used for any valid meta-community security matter including especially announcement
co-ordination.

* That the list should be private to list members (and with the consent of the list, to their
project's private security list), with mutually agreed confidentiality, and populated only
with people known to the majority of the list members as bona-fides security-related developers.

*  That the list be populated only with the consent of the existing list members (suggested
process: a list member proposes a new list member with a brief explanation why they are a
good-faith and experienced security developer in the meta-community. Code-modification-style
voting takes place. A moderator adds the new member. In the event of mishap, list members
may be removed using the same process). 

*  Agreeing who the moderators should be by list-member consensus"
---

> but maybe the following is acceptable:
> 
> (1) The securityteam@openoffice.org continues.
> 
> (2) The membership of securityteam ML should be open to individuals and forks/"downstreams"
as selected by the ML membership.
> 
> (3) The securityteam ML moderators are selected from the individual membership of the
securityteam ML.
> 
> (4) The securityteam ML is nominally under the governance of the ASF - either the AOOo
podling PPMC, the Apache Security Team, or even the Foundation Board. I think the AOOo podling
PPMC should be acceptable, but we can ask the other entities if that is not is not neutral
enough. We may ask the TDF to neutrally host some component and it would make sense for each
entity to trust the neutrality of the other entity (Rob's real point).
> 
> (5) No iCLAs are required.
> 
> (6) A set point for membership is determined when at least AOOo, TDF, and any other OOo
fork/"downstreams" who might appear within a reasonably short time period. The deadline would
need to be agreed.
> 
> (7) The securityteam@openoffice.org ML will be hosted by the ASF when the MX for openoffice.org
is moved to ASF Infrastructure.

I do think some sort of "mission statement" along the lines I suggested would be helpful.
I think you hit most of the practical points, apart from some nuancing (AOOo and LO really
are peer projects at this stage, you know, we need to strenuously avoid any language implying
one is in some way hierarchically superior to the other!)

> 
>> I suggest you go to their mailing lists and make your proposals. Maybe you can earn
TDF membership with your contributions?
> 
> This is a reasonable place to go to ask the TDF to host some component OOo by the TDF.
> 
> I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?

It does at present but there's a replacement in beta-test right now - see http://blog.documentfoundation.org/2011/09/12/libreoffice-launches-extension-and-templates-repository-for-public-beta-test/

S.



Mime
View raw message