incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 15:41:40 GMT
On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher <dave2wave@comcast.net> wrote:
> Hi Michael,
>
> On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:
>
>> Hi Dave,
>>
>> On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
>>> Not sure how much this is like your original proposal, but maybe the
>>> following is acceptable:
>>>
>>> (1) The securityteam@openoffice.org continues.
>>
>>       As mentioned, not happy about an openoffice.org domain; LibreOffice is
>> not openoffice.org, that is not really neutral.
>
> Understood. It is a requirement for a neutral address. On our side it is a desire for
the same address
>
>>> (2) The membership of securityteam ML should be open to individuals
>>> and forks/"downstreams" as selected by the ML membership.
>>
>>       Fine - though I'd characterise AOOoI as a fork too if this
>> is used as a loaded term.
>
> Not meant to be "loaded". As in another email exchange with Simon, PEER relationships
without regard to perceived historical relationships.
>
>>
>>> (3) The securityteam ML moderators are selected from the
>>> individual membership of the securityteam ML.
>>
>>       Fine.
>>
>>> (4) The securityteam ML is nominally under the governance of the
>>> ASF - either the AOOo podling PPMC, the Apache Security Team, or
>>> even the Foundation Board. I think the AOOo podling PPMC should
>>> be acceptable, but we can ask the other entities if that is not
>>> is not neutral enough. We may ask the TDF to neutrally host some
>>> component and it would make sense for each entity to trust the
>>> neutrality of the other entity (Rob's real point).
>>
>>       Totally un-acceptable, I'm sorry. The Apache project is by no means
>> neutral. The decision to take on AOOoI and the actions of that project
>> are its responsibility.
>
> By nominally I meant only the minimum required by any responsible host who opens their
facilities to the public.
>
> However, this is moot (does not matter) if the address is not in a domain that the ASF
is responsible.
>
>>> (5) No iCLAs are required.
>>
>>       Of course.
>>
>>> (6) A set point for membership is determined when at least
>>> AOOo, TDF, and any other OOo fork/"downstreams" who might
>>> appear within a reasonably short time period. The deadline
>>> would need to be agreed.
>>
>>       I would not have a process - we should just include everyone competent
>> who has a reason to be there; that is normally fairly easy to work out
>> relationally; if not the moderators can thrash it out. If it is a
>> multi-vendor, neutral list I don't envisage controversy there.
>
> I don't either. My thought was to give individuals / peer projects time to appear. If
they are welcomed gladly by the list after the list's establishment then no troubles.
>
>>
>>> (7) The securityteam@openoffice.org ML will be hosted by the
>>> ASF when the MX for openoffice.org is moved to ASF Infrastructure.
>>
>>       Hosting by the ASF is by no means ideal, but perhaps compromise here is
>> reasonable.
>>
>>> I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?
>>
>>       We built our own new infrastructure for that.
>
> Good for LO. More for AOOo to cleanup...
>
>>
>>       So - I am still fairly firmly convinced that this security thing is not
>> going to pan out. Here is my potted history of it:
>>
>>       * initial request for continuing the traditional,
>>         friendly cross membership of security lists
>>               + turned down at AOOoI: Apache Committers only
>>       * requests for a neutral list with neutral name turn into:
>>               + ASF & openoffice.org -are-neutral-; proof by assertion
>>       * more compromise proposals arrive
>>               + these have high level ASF governance hard-wired
>
> I can see how you would perceive the history this way.
>
> I think it would help to have a single ML and I think that is more important than the
address. securityteam@openoffice.org can be made to forward to that address if necessary.
>
>>       This doesn't make it seem like we're going anywhere productive, which
>> is fine - there is no huge problem with having two separate public
>> facing security lists that can have cross membership on them.
>>
>>       Since there is no TDF affiliated admin for the currently suggested,
>> Apache controlled, 'neutral' security list, extracting a membership list
>> of that would be appreciated - so we can mirror it in a suitable other
>> place.
>
> It would be good for the AOOo PPMC to see this list as well. I think that the actual
membership should be shared in private. Would someone with appropriate karma on the OOo MLs
please provide this.
>

-1 to that.  Sharing subscriber lists with other organizations is a
violation of trust and violates personal data protection.

However, if someone wants to send a note to securityteam, inviting
members to subscriber to another list, as an opt-in, that would
address those concerns.

But it would be good to think this through, and see if we can avoid an
infinite regress of mailing lists.  We already have ooo-security and
tdf-security and securityteam.  Are we really going to create a 4th
one based on one person's irrational distrust of Apache?  What if we
create that list and someone else expresses irrational distrust of
that list?  (And don't say it could not happen).  And then the same
thing with a 5th list?  I think it is easier just to work toward a
security list with rational participants on it.

-Rob

>>       I'm also minded to consider the relative grief of endlessly re-hashing
>> this issue vs. actually fixing whatever bugs are found. Can we not just
>> move on.
>
> You suggested: officesecurity@lists.freedesktop.org
>
> The comment was that this was not an appropriate domain name as not all of the "Office
Space" is Linux. So, the open question is where the list is hosted.
>
> Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't
it?
>
> Regards,
> Dave
>
>
>>
>>       All the best,
>>
>>               Michael.
>>
>> --
>> michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot
>>
>
>

Mime
View raw message