incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <>
Subject Re: Vulnerability fixed in LibreOffice
Date Thu, 06 Oct 2011 15:17:14 GMT
On Thu, Oct 6, 2011 at 5:07 PM, Shane Curcuru <> wrote:

> Wow, has this thread not gone anywhere, nor been as polite as I'd hope.
> ----
> Fundamentally, the ASF has delegated responsibility for all future Apache
> OpenOffice releases to the Apache OpenOffice PPMC.  I believe and support
> them having a private security@ list that only PPMC members are allowed to
> subscribe to, to accept reports of vulnerabilities and to make plans to
> address them in ASF releases.
> The issue is, what to do with security issues raised about *previous*
> releases of software - something that normally we'd all look
> to Oracle and the previous Security Team of to fix, but in
> this case, we need to at least attempt to address them ourselves (hopefully,
> jointly).
> I think we've completely lost sight of "B", a place where Apache OpenOffice
> PPMC members and trusted others of related projects can work together.
>  Given the interrelationships of code between OpenOffice and LibreOffice and
> others, I would definitely vote to use or host an officesecurity@somedomainprivate list
where *any* existing members of an OOo related security team
> would all be allowed to subscribe and work on issues in conjunction.
> Personally, I'd suggest using the existing for
> this purpose of "B", because it's already well known, and uses the
> domain (which will be hosted by the ASF in the future). The
> Apache-specific list would be the existing ooo-security@incubator.apache.*
> *org <> list, which would be open only to
> ASF committers that the Apache OpenOffice PPMC approves.
> But that's just my (non-binding) vote.  But I'd definitely like to see more
> organized cooperation here in terms of capturing and sharing basic
> information about security fixes.
thanks Shane, that is more or less what i had in mind too. But it seems that
I wasn't able to describe it clearly enough.


> And in terms of IP, I would hope that any participants in the (future)
> joint securityteam@oo.o list would agree explicitly to mail only
> AL-licensed code to that list, ensuring that the Apache OpenOffice podling
> could use it in a release.
> - Shane
> On 10/6/2011 10:38 AM, Florian Effenberger wrote:
>> Hi,
>> Jürgen Schmidt wrote on 2011-10-06 14:40:
>>> My idea is to simply use the existing
>>> <knownsecurityteam@openoffice.**org<>>
>>> list for
>>> collaborative work on this topic. LibreOffice has also a separate
>>> security
>>> list, right. So i don't see your point here.
>> I proposed that, Rob Weir refused to continue with the existing
>> contacts, telling things at Apache were different.
>> Ping me when you folks have sorted out your issues.
>> Florian

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message