incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Phipps <si...@webmink.com>
Subject Re: Vulnerability fixed in LibreOffice
Date Wed, 05 Oct 2011 23:45:34 GMT

On 6 Oct 2011, at 00:25, Dennis E. Hamilton wrote:

> Whatever the arrangement is to become, it should not have a single point of failure in
achieving coordination on common-mode/mono-culture vulnerabilities.

Agreed. Let's design something without one.

> 
> Anyone can post to anyone's security list.  But they are private lists.  It is the part
where discretion must occur in handling vulnerabilities until the fix is in and a CVE is posted
that happens privately and that might work better with some shared membership on the security
lists.  On AOOo, the PPMC is aware of any resolution that works into code, because of the
way a security fix gets committed into a release.

In my view, a shared list that's explicitly intended as a collaborative venue is the best
idea - that way developers don't have to understand or agree with the niceties of anyone else's
governance. If securityteam@openoffice.org isn't going to work, how about we ask TDF to host
a collaborative venue for security postings by each other's security team members?

S.


Mime
View raw message