incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 22:58:20 GMT
On Mon, Oct 10, 2011 at 4:41 PM, Michael Meeks <michael.meeks@suse.com> wrote:

<snip>

>>   All I'm doing is suggesting that we treat AOOo security like we do
>> for every other Apache project.
>
>        Sounds great - lets have open-ness to other projects, and
> cross-fertilisation of list composition without arbitrary and
> un-necessary barriers to entry then :-) I'd love that.
>

We are open.  Your welcome to join. And if not you not you personally,
for moral, dietary or other reasons, then maybe you can find another
TDF member who can join to represent your project.  Can you find a
single TDF member to do this?  Not even one out of your 700
developers?   We have several TDF members who are also Apache
committers and have already signed the iCLA.  Maybe one of them can be
your liaison?  Maybe one of them wants to volunteer?

>        It seems that are you asserting that the advice from the established
> Apache security mechanism was to be as insular as possible though; is
> that really the case ? are all other Apache projects security lists
> closed to helpful outside membership ?
>

You should look at the entire security response process and not fixate
on the list alone.  The list is one technical component of the overall
security response.  A closed list does not equate to a closed process.
 An Apache project has every ability to collaborate with outside
parties on the resolution of issues, and to predisclose information
with downstream consumers and others who use the same or similar code
base.  It happens all the time.  It is part of being a successful
project and having a diverse ecosystem.  Having an additional
security-discuss list sounds like a fine idea.  But that does not
obviate the purpose, function and need for ooo-security.

In other words, we have the ability and the discretion to share
information as broadly as appropriate in any given situation.  So do
you, as you have shown.  But the fact that your discretion in this
current incident exhibited extremely poor judgement does not imply
that our judgement would also be poor under similar circumstances.  In
fact, I'm certain we would have handled this far better than you did.
Why? Because the ooo-security list is readable by all Apache members.
Ditto for the archives.   They provide the oversite.  They ensure that
we're not abusing that list.  We have checks and balances.

I think it would be good if the PPMC wanted to express to the
ooo-security members that they want us to make security collaboration
with TDF/LO a priority and to make every effort to share all
appropriate information with TDF/LO.  I'd support that.  This could be
solemnized by having a few Apache members, maybe mentors, affirm that
they will make an effort to monitor that ooo-security list and to
escalate to the AOOo PPMC is there is any backsliding on this.

-Rob

Mime
View raw message