incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject [Proposal] Security coordination without a shared list
Date Tue, 25 Oct 2011 16:08:30 GMT
There is an easy way to avoid all the trust issues with regards to
shared mailing lists.  Don't have such a list.  Trust individuals.
This proposal takes this approach.

1) The AOOo PMC solicits the names of security contacts from related
projects who wish to be consulted related to pre-disclosure
coordination related to analysis and resolution of reported security
vulnerabilities.  Names of individuals are preferred over opaque
mailing lists.  Trust can be established based on a PGP/GPG web of
trust.  These names and addresses are stored confidentially in the
PPMC's private SVN directory.

2) The AOOo security team reaches out to these contacts, as
appropriate,v ia their preferred contact mechanism,  to coordinate on
specific vulnerabilities.  We (Apache) would cc ooo-security on our
external emails, as required by Apache policy [1].

3) Other groups would be encouraged to reach out to AOOo in similar
circumstances via our preferred contact mechanism, ooo-security.

4) This fully allows targeted collaboration on specific issues, via
each project's preferred contact mechanism,  without requiring the
maintenance of an additional email list.

5)  If we want to discuss security in general, then that can/should
happen on public dev lists.    That public discussion could occur
anywhere.


[1]: http://www.apache.org/security/committers.html

Mime
View raw message