incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Schmidt <jogischm...@googlemail.com>
Subject Re: Vulnerability fixed in LibreOffice
Date Thu, 06 Oct 2011 11:18:36 GMT
On Thu, Oct 6, 2011 at 1:45 AM, Simon Phipps <simon@webmink.com> wrote:

>
> On 6 Oct 2011, at 00:25, Dennis E. Hamilton wrote:
>
> > Whatever the arrangement is to become, it should not have a single point
> of failure in achieving coordination on common-mode/mono-culture
> vulnerabilities.
>
> Agreed. Let's design something without one.
>
> >
> > Anyone can post to anyone's security list.  But they are private lists.
>  It is the part where discretion must occur in handling vulnerabilities
> until the fix is in and a CVE is posted that happens privately and that
> might work better with some shared membership on the security lists.  On
> AOOo, the PPMC is aware of any resolution that works into code, because of
> the way a security fix gets committed into a release.
>
> In my view, a shared list that's explicitly intended as a collaborative
> venue is the best idea - that way developers don't have to understand or
> agree with the niceties of anyone else's governance. If
> securityteam@openoffice.org isn't going to work, how about we ask TDF to
> host a collaborative venue for security postings by each other's security
> team members?
>

If a TDF or ASF list is secondary for me but i would volunteer to join this
mailing list to help on this topic in the future. But maybe we should try to
keep the existing and known securityteam@openoffice.org mailing list and I
see no reason why it shouldn't work. I think it is probably more a problem
of the people on this list and missing communication. I assume that people
on this list have now other priorities and are not so responsive which of
course is natural if they have a new job or moved into other projects ...

We should simply ensure that people who are active on both projects are on
the list and take of such things.

Juergen


>
> S.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message