incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <rgard...@opendirective.com>
Subject Re: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 23:34:13 GMT
On 10 October 2011 21:41, Michael Meeks <michael.meeks@suse.com> wrote:

...

>        It seems that are you asserting that the advice from the established
> Apache security mechanism was to be as insular as possible though; is
> that really the case ? are all other Apache projects security lists
> closed to helpful outside membership ?

I'm afraid I can't answer your second question directly. But I can
answer the first. As has been discussed by ASF Members in this thread,
including two who are a part of perhaps the most security concious
Apache project (the web server), the position is that:

a) AOOo needs a private list for discussion of security issues
specific to AOOo, I would expect LO needs their own private list for
the same reason.

b) Because other communities exist based on a common code base it
makes sense to attempt to build an appropriate mechanism to
collaborate on security issues that affect both projects

I will observe that, to my knowledge, no other ASF project is faced
with situation b).

I will also observe that at some point in the future any mechanism put
in place now for b) may  become useless as code bases diverge further
OR there are increased levels of collaboration on core components is
achieved. However, today there is a potential for collaboration across
the communities.

I will also observe that a proposal to address both a and b has been
put forward, and repeated numerous times, in this thread. I've even
seen it agreed upon, at least in principle, by most parties in this
discussion.

[the next three sentences are a general observation and not in direct
response to Michael]

Unfortunately the bickering about "who started it" is getting in the
way of moving towards a solution.

As a mentor I find it a great shame as this opportunity for healthy
collaboration between LO and AOOo might be missed because we want to
disect this incident rather than look at the bigger picture of how we
might work together on future incidents.

Ross

Mime
View raw message