incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: Vulnerability fixed in LibreOffice
Date Thu, 06 Oct 2011 15:17:14 GMT
On Thu, Oct 6, 2011 at 5:07 PM, Shane Curcuru <asf@shanecurcuru.org> wrote:

> Wow, has this thread not gone anywhere, nor been as polite as I'd hope.
>
> ----
>
> Fundamentally, the ASF has delegated responsibility for all future Apache
> OpenOffice releases to the Apache OpenOffice PPMC.  I believe and support
> them having a private security@ list that only PPMC members are allowed to
> subscribe to, to accept reports of vulnerabilities and to make plans to
> address them in ASF releases.
>
> The issue is, what to do with security issues raised about *previous*
> releases of OpenOffice.org software - something that normally we'd all look
> to Oracle and the previous Security Team of OpenOffice.org to fix, but in
> this case, we need to at least attempt to address them ourselves (hopefully,
> jointly).
>
> I think we've completely lost sight of "B", a place where Apache OpenOffice
> PPMC members and trusted others of related projects can work together.
>  Given the interrelationships of code between OpenOffice and LibreOffice and
> others, I would definitely vote to use or host an officesecurity@somedomainprivate list
where *any* existing members of an OOo related security team
> would all be allowed to subscribe and work on issues in conjunction.
>
> Personally, I'd suggest using the existing securityteam@openoffice.org for
> this purpose of "B", because it's already well known, and uses the
> openoffice.org domain (which will be hosted by the ASF in the future). The
> Apache-specific list would be the existing ooo-security@incubator.apache.*
> *org <ooo-security@incubator.apache.org> list, which would be open only to
> ASF committers that the Apache OpenOffice PPMC approves.
>
> But that's just my (non-binding) vote.  But I'd definitely like to see more
> organized cooperation here in terms of capturing and sharing basic
> information about security fixes.
>
>
thanks Shane, that is more or less what i had in mind too. But it seems that
I wasn't able to describe it clearly enough.

Juergen



> And in terms of IP, I would hope that any participants in the (future)
> joint securityteam@oo.o list would agree explicitly to mail only
> AL-licensed code to that list, ensuring that the Apache OpenOffice podling
> could use it in a release.
>
> - Shane
>
>
> On 10/6/2011 10:38 AM, Florian Effenberger wrote:
>
>> Hi,
>>
>> Jürgen Schmidt wrote on 2011-10-06 14:40:
>>
>>> My idea is to simply use the existing
>>> securityteam@openoffice.org <knownsecurityteam@openoffice.**org<knownsecurityteam@openoffice.org>>
>>> list for
>>> collaborative work on this topic. LibreOffice has also a separate
>>> security
>>> list, right. So i don't see your point here.
>>>
>>
>> I proposed that, Rob Weir refused to continue with the existing
>> contacts, telling things at Apache were different.
>>
>> Ping me when you folks have sorted out your issues.
>>
>> Florian
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message