incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: [Proposal] Security coordination without a shared list
Date Tue, 25 Oct 2011 17:37:01 GMT
On Tue, Oct 25, 2011 at 1:29 PM, Dave Fisher <dave2wave@comcast.net> wrote:
> Rob,
>
> I'd like to actually try to work out the shared list situation with a sincere spirit
of mutual understanding, listening and co-operation.
>
> On Oct 25, 2011, at 9:08 AM, Rob Weir wrote:
>
>> There is an easy way to avoid all the trust issues with regards to
>> shared mailing lists.  Don't have such a list.  Trust individuals.
>> This proposal takes this approach.
>>
>> 1) The AOOo PMC solicits the names of security contacts from related
>> projects who wish to be consulted related to pre-disclosure
>> coordination related to analysis and resolution of reported security
>> vulnerabilities.  Names of individuals are preferred over opaque
>> mailing lists.  Trust can be established based on a PGP/GPG web of
>> trust.  These names and addresses are stored confidentially in the
>> PPMC's private SVN directory.
>
> Do you have software that actually exists that does this? Who is going to build this?
>

Yes.  It doesn't require anything special beyond GPG and an email client.

>>
>> 2) The AOOo security team reaches out to these contacts, as
>> appropriate,v ia their preferred contact mechanism,  to coordinate on
>> specific vulnerabilities.  We (Apache) would cc ooo-security on our
>> external emails, as required by Apache policy [1].
>
> Replies would not necessarily be cc'd to ooo-security and that would be a problem.
>

With a mailing list you also have the problem that sometimes someone
responds to the individual rather than to the list.  We're all
familiar with that risk and know how to watch out for it.

As I understand this is also the approach that other Apache projects
use.  You don't see other projects set up additional off-site
"neutral" mailing lits for this purpose.  Please correct me if you
know of other examples at Apache.  But projects do reach out for
pre-disclosure.  So this is an approach Apache does have some
experience with.

>>
>> 3) Other groups would be encouraged to reach out to AOOo in similar
>> circumstances via our preferred contact mechanism, ooo-security.
>>
>> 4) This fully allows targeted collaboration on specific issues, via
>> each project's preferred contact mechanism,  without requiring the
>> maintenance of an additional email list.
>>
>> 5)  If we want to discuss security in general, then that can/should
>> happen on public dev lists.    That public discussion could occur
>> anywhere.
>>
>>
>> [1]: http://www.apache.org/security/committers.html
>
> Time to be productive today.
>
> Regards,
> Dave
>
>
>
>

Mime
View raw message