incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 13:40:56 GMT
On Tue, Oct 25, 2011 at 6:47 AM, Michael Meeks <michael.meeks@suse.com> wrote:
> Hi Dave,
>
> On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
>> Not sure how much this is like your original proposal, but maybe the
>> following is acceptable:
>>
>> (1) The securityteam@openoffice.org continues.
>
>        As mentioned, not happy about an openoffice.org domain; LibreOffice is
> not openoffice.org, that is not really neutral.
>

I think part of the confusion here is that some of us are talking
about "trust" and you are talking about "neutrality" and many of us
are conflating the two.

For example:   I think we would agree that the United Nations building
in NYC is a neutral venue.  But I wouldn't want to accidentally leave
my wallet in the rest rooms there.  Neutrality is not the same as
trustworthy.

And even with trust we're not really saying what we think that means.
Are we talking about verified identities, a web of trust that can be
confirmed via digital signatures?  Or trust in terms of confidently
belief that we're not going to stab each other in the back?
Obviously the later form of trust is independent of the neutrality of
the venue.  It is trust of individuals and their actions, not trust of
neutral venues.  (Many countries have been stabbed in the back at the
UN)

I'd recommend that we seek trust, and do so via transparency.  The
subscriber list of securityteam should be made public.  Let's
demonstrate that there is no boogeyman hiding in the shadows.  Let's
show that the members are well-known members of the AOOo and LO
communities, as well as security experts from other vendors and Linux
distros.

We have a common goal - improving security for our users.  Neutrality
then comes when all parties are represented and able freely to express
their views, like at the UN, even though it is in the USA.   The rest
is just community practice, and we should have enough respect for the
community in that list -- once we understand better who is on that
list -- to establish their own rules and norms of behavior.  I don't
think we want to dictate from above how the list operates, something
we have hesitated to do for any other list in this project.

In the end, trust and neutrality are complex social phenomena.  If you
try to reduce this complexity to an IP address (or a street address)
then you will fail every time.

-Rob

Mime
View raw message