incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: [proposal] Neutral / shared security list ...
Date Tue, 25 Oct 2011 23:43:20 GMT
On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher <dave2wave@comcast.net> wrote:
>
> On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:
>
>> On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
>> <dennis.hamilton@acm.org> wrote:
>>> Oh, and the most important part:
>>>
>>> In want way is the AOOo party to the consensus that is reached?  That ooo-security
(an agent of the PPMC, essentially) will participate in the described community arrangement
if established? Something else?
>>>
>>
>> It would be good to also include in the proposal how IP will be
>> treated.  By my reading of the iCLA this would not be covered, since
>> it is not an Apache list.  We'd need to make some other agreement,
>> take it to legal-discuss, etc.
>
> I'm not so sure.
>

Think of it this way: where else at Apache is it permissible for an
Incubation project to collaborate on project code on a private
non-Apache list, with no agreement on license, no mentor visibility,
and no audit trail for Apache members to inspect?  This doesn't sound
like the kind of diligence Apache projects traditionally give to IP
issues everywhere else.  We owe it to our users and ourselves to get
this right.

> ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible.
If the shared security group is not producing compatible IP in response to a security threat
that is a different problem. If it happens often then ooo-security will need to discuss this
with ooo-private.
>

Putting the responsibility on ooo-security members in such an
untenable situation will only lead to the resignation of ooo-security
members.  I think we need some way to enforce this.

>From what I'm reading, not even Apache committers who have signed the
iCLA are bound to the iCLA for contributions made on some ad-hoc,
private, non-Apache list.

> We can make it a mission statement of this group to help all the peers produce fixes
that are compatible with their licenses. I don't think we can guarantee all individuals on
the team will be able to always do so. Requiring such an affirmation is clearly a blocker
for some individual's participation.
>

I think then we need to weight having a smashing fun party with LO
hackers in a private, unauditable list with no license discipline
versus Apache's primary mission of producing software for public use
under the Apache 2.0 license.

The alternative is to step back, realize that Florian has confused
what the PPMC position is on securityteam participation and take that
route.  Since that would be an Apache list, AOOo committers would
already be covered. And we could cover the remaining users via a Terms
of Use statement for the list.

-Rob

> Regards,
> Dave
>
>>
>>> I think that would be essential to bringing this to a successful conclusion.
>>>
>>> -----Original Message-----
>>> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
>>> Sent: Tuesday, October 25, 2011 15:45
>>> To: 'ooo-dev@incubator.apache.org'
>>> Cc: 'Dave Fisher'
>>> Subject: RE: [proposal] Neutral / shared security list ...
>>>
>>> Dave, if you are going to do that, just relabeling a thread is not helpful.
>>>
>>> Please compose a specific concrete proposal under a [DISCUSS], and announce the
duration and end-time for a lazy consensus at the top.
>>>
>>> Give it at least 3 full 24-hour calendar days.
>>>
>>> I don't have any sense that there is alignment yet, but there may be in that
time and I am happy to be mistaken.  Then at the end, if there is a consensus, please report
what it is.
>>>
>>>  - Dennis
>>>
>>> -----Original Message-----
>>> From: Dave Fisher [mailto:dave2wave@comcast.net]
>>> Sent: Tuesday, October 25, 2011 15:35
>>> To: ooo-dev@incubator.apache.org
>>> Cc: floeff@documentfoundation.org
>>> Subject: Re: [proposal] Neutral / shared security list ...
>>>
>>> Hi -
>>>
>>> Sorry to reply to myself.
>>>
>>> Even though there are choices in this email. Please view it as a proposal. Where
we are seeking lazy consensus.
>>>
>>> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
>>>
>>>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
>>>>
>>>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <dave2wave@comcast.net>
wrote:
>>>>>
>>>>>>
>>>>>> Agreed. We need to pick a neutral domain name. office-security.org
is
>>>>>> apparently free.
>>>>>>
>>>>>> Some institution needs to buy domain registration. I've been the
volunteer
>>>>>> registrar for a social groups domain, it is a pain to transition.
This needs
>>>>>> to be an institution, it could be Team OOo?
>>>>>>
>>>>>
>>>>> I think they are too close to the matter.  SPI exists specifically to
hold
>>>>> assets in trust - perhaps they would hold the registration for us all?
 If
>>>>> we agree I'd be happy to volunteer to contact them.
>>>>>
>>>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are
both
>>>>> on the Board at present.
>>>>
>>>> These are both interesting ideas.
>>>
>>> The proposal is to pick a domain and get registration  Simon volunteers to help.
>>>
>>>
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests
>>>>>> that the ASF could be that ISP for free.
>>>>
>>>> <slight snip/>
>>>>
>>>> And:
>>>>
>>>> <insert>
>>>>
>>>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
>>>>
>>>> <snip/>
>>>>
>>>>>
>>>>> If we basically agree that such a list as outlined by me is a way to
go, I am happy to ask a friend of mine who has a very good reputation in being a mail server,
mailing list and security expert, with a very good track record, including all sorts of certifications.
He is offering e-mail services as business.
>>>>>
>>>>> I just don't want to spread the name publically without asking him first,
and I don't want to ask him, before we have some common understanding. :-)
>>>>>
>>>>
>>>>
>>>> </insert>
>>>
>>> The proposal is for the exiting securityteam to choose, the above are two possibilities.
>>>
>>>
>>>>
>>>>
>>>>>>
>>>>>> securityteam@oo.o is migrated to whatever the new list is, and those
>>>>>> people start administrating.
>>>>>>
>>>>>> I think it is very important for the public to know who all of the
projects
>>>>>> are on the shared ML.
>>>
>>> I propose that this shared security team provide a list of participating peers
to the public.
>>>
>>>>>>
>>>>>> Are we done already :-)
>>>>
>>>> Let's let the world revolve to see if we have some Consensus.
>>>
>>> Revolve 3x or 72 hours.
>>>
>>> Regards,
>>> Dave
>>>
>>>>
>>>> Regards,
>>>> Dave
>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Dave
>>>>>>
>>>>>>>
>>>>>>> That is fair to anyone, does not exclude anyone, does not benefit
one
>>>>>>> over the other -- it's easy, simple, and the best way to go.
Sure,
>>>>>>> everyone can create own aliases pointing to that list, but the
core is
>>>>>>> the same, and that's what matters.
>>>>>>>
>>>>>>> If you folks now start complaining about we don't trust Apache,
we can
>>>>>>> answer by complaining you don't trust TDF and so on. It's a horrible
>>>>>>> waste of time, it's lame, it does not help anyone, and it makes
me doubt
>>>>>>> we're talking amongst adults, seriously.
>>>>>>>
>>>>>>> And, really, all this crap being tossed around about trustworthiness,
>>>>>>> upstream, downstream, code similarities and insults is worth
not even
>>>>>>> the digital paper it's written on.
>>>>>>>
>>>>>>> I made a simple, plain, and easy proposal. Don't make things
overly
>>>>>>> complicated, folks.
>>>>>>>
>>>>>>> Thanks for considering,
>>>>>>> Florian
>>>>>>>
>>>>>>> --
>>>>>>> Florian Effenberger <floeff@documentfoundation.org>
>>>>>>> Steering Committee and Founding Member of The Document Foundation
>>>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
>>>>>>> Skype: floeff | Twitter/Identi.ca: @floeff
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Simon Phipps
>>>>> +1 415 683 7660 : www.webmink.com
>>>>
>>>
>>>
>
>

Mime
View raw message