incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <rgard...@opendirective.com>
Subject Re: PMC report for October 2011
Date Wed, 12 Oct 2011 16:37:53 GMT
It's great to see this coming together now. Thank you everyone.

Ross

On 12 October 2011 16:48, Dave Fisher <dave2wave@comcast.net> wrote:
>
> On Oct 12, 2011, at 6:43 AM, Rob Weir wrote:
>
>> On Wed, Oct 12, 2011 at 9:04 AM, Shane Curcuru <asf@shanecurcuru.org> wrote:
>>> On 10/12/2011 8:51 AM, Rob Weir wrote:
>>>>
>>>> On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler
>>>> <rgardler@opendirective.com>  wrote:
>>>>>
>>>>> Before I sign off I'd like to see the report address external
>>>>> communications explicitly.
>>>>>
>>>>> The project has a real problem right now with asserting itself as the
>>>>> OpenOffice.org project and defining how it will interact with
>>>>> downstream projects. Is the community going to take ownership of this?
>>>>>
>>>>> It would be nice to see a statement from the PPMC making it explicit
>>>>> what they wish to tackle and, where possible, how. For example, after
>>>>> a flurry of discussion about improved security reporting processes and
>>>>> collaboration opportunities is the PPMC going to deliver or will this
>>>>> just die down and go away?
>>>>>
>>>>
>>>> In that other long thread -- and it is understandable if you missed
>>>> this -- I said:
>>>>
>>>> "I think it would be good if the PPMC wanted to express to the
>>>> ooo-security members that they want us to make security collaboration
>>>> with TDF/LO a priority and to make every effort to share all
>>>> appropriate information with TDF/LO.  I'd support that.  This could be
>>>> solemnized by having a few Apache members, maybe mentors, affirm that
>>>> they will make an effort to monitor that ooo-security list and to
>>>> escalate to the AOOo PPMC is there is any backsliding on this."
>>>
>>> I'm not sure what you're actually asking here.  "ooo-security members"
>>> should be the people the PPMC appoints/approves there (and potentially
>>> anyone that the central Apache security@ team appoints), so it seems like
>>> you're talking about yourselves there.  Who else is there between the
>>> ooo-security@ list and the PPMC?
>>>
>>
>> Currently, there is no one one between ooo-security and the PPMC.  And
>> I am perfectly fine with that.  But Ross's question was about external
>> relations, not the relationship between the PPMC and ooo-security.
>
> I think that "we" as the AOOo PPMC will need to find one or more PPMC members to fulfill
certain external roles.
>
> Perhaps these roles are:
>
> (1) Public face of Security for AOOo.
>
> (2) Liaison with the TDF.
>
> (3) Press Liaison.
>
> (4) Brand Manager / Cat Herder.
>
> With people in these roles who are active then perhaps the rest of us can defer immediate
responses to questions in these areas when they occur on ooo-dev. With slight formality we
might be able to stop the periodic and damaging flames of misunderstanding.
>
> Regards,
> Dave
>
>>
>>> Yes, I agree that efforts should be made to responsibly share security
>>> issues with technically related projects.  This should be a default; while
>>> it's certainly good to bring it up, if there was anyone here who wasn't
>>> clear on the idea that Apache projects *must* take security seriously,
>>> then... well, then they should change their expectations.
>>>
>>
>> That wasn't my point.  I don't think it was Ross's either.
>>
>>> Security in Apache products - and properly handling reports and
>>> *responsibly* disclosing issues - is a mandatory feature.  If the PPMC does
>>> have specific questions on best Apache practices, then security@ is the
>>> place to go.
>>>
>>
>> Yes, but not the point.
>>
>>>> So I'm proposing that a couple Apache members step up to the plate on
>>>> this as well.  What do you say?
>>>
>>> The point of incubation is to show a healthy community that manages itself.
>>>  So I'm looking to the PPMC to be handling this yourselves. That said,
>>> trying to attract new contributors - especially ones who are familiar with
>>> the Apache Way - is always a good idea.
>>>
>>
>> Maybe someone else can explain this better, since I'm obviously
>> failing to get my point across here.  If no one else cares, then
>> that's fine too.
>>
>>> I certainly plan to review the ooo-security@ list periodically to see how
>>> it's operating, as a mentor, but currently that's to prove to myself that
>>> the project's members are acting responsibly, not necessarily to do the
>>> project's work for it.
>>>
>>> - Shane
>>>
>>>
>>>>
>>>> -Rob
>>>>
>>>>
>>>>> NOTE I'm not asking for a full strategy in the report, just a
>>>>> statement indicating whether or not the PPMC feels that it owns these
>>>>> issues. If it doesn't want to own them then who does?
>>>>>
>>>>> Ross
>>>>>
>>>>> On 7 October 2011 15:33, Shane Curcuru<asf@shanecurcuru.org>  wrote:
>>>>>>
>>>>>> Tip: the board always appreciates well written reports that follow
these
>>>>>> reporting guidelines:
>>>>>>
>>>>>>  http://www.apache.org/foundation/board/reporting
>>>>>>
>>>>>> - Shane
>>>>>>
>>>>>> On 10/5/2011 8:05 PM, Alexandro Colorado wrote:
>>>>>>>
>>>>>>> Added some items for the October report for OOo. Feel free to
chip in.
>>>>>>>
>>>>>>>
>>>>>>> http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Ross Gardler (@rgardler)
>>>>> Programme Leader (Open Development)
>>>>> OpenDirective http://opendirective.com
>>>>>
>>>
>
>



-- 
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com

Mime
View raw message