incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 13:31:55 GMT
On Mon, Oct 10, 2011 at 9:24 AM, Simon Phipps <> wrote:
> On Mon, Oct 10, 2011 at 2:15 PM, Rob Weir <> wrote:
>> I've restated, in more explicit form, what I think the consensus is.
> It's hard to read your words that way, as they leave no room for anyone but
> Apache committers. The clear consensus was for collaboration with the
> StarOffice legacy ecosystem to be made easy.  I'll wait for others to
> respond further, though.

Since you relied on Shane's post initially, let me remind you of what
he wrote [1]:

"I believe and support them having a private security@ list that only
PPMC members are
allowed to subscribe to, to accept reports of vulnerabilities and to
make plans to address them in ASF releases."

I'm stating the same thing,

Shane then stated that  he "would definitely vote to use or host an
officesecurity@somedomain private list where *any* existing members of
an OOo related security team would all be allowed to subscribe and work
on issues in conjunction."

I agree with that as well.

This are not mutually exclusive options, Simon.  And this is not just
a two-party thing.  Yes, AOOo and TDF both have their own private
means to discuss security issues.  But so does IBM for Symphony, and
Novell for their products, and RedHat and RedOffice for their
products.  We're not going to eliminate the means for companies and
open source projects to have private discussions about security issues
that are reported to them.  And nor should we seek to.  But we can
have an invitation-only only list where we can discuss overlapping
concerns related to security.  That is collaboration that also
respects the autonomy of the individual projects.


> S.

View raw message