incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 11:45:34 GMT
On Mon, Oct 10, 2011 at 6:10 AM, Michael Meeks <michael.meeks@suse.com> wrote:
> Hi Rob,
>
> On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote:
>> Reading binary file formats, including the legacy MS Office
>> formats, is notoriously difficult to do robustly.
>
>        Agreed.
>
>> 2) That security reports should be sent to successor project's
>> security contacts.
> ..
>> 3) We should list the AOOo's ooo-security list, as well as the TDF/LO
>> security list, and contacts for IBM Symphony, RedOffice, as well as
>> Oracle and Novell since they may have outstanding support contacts for
>> legacy release of OOo.
>
>        I would instead seriously suggest that the Apache OOo decision to
> exclude non-committers from the security list (undoing years of trust
> and co-operation here) plus our reciprocal action is the ultimate root
> cause of this communication problem. Fixing that by re-visiting that
> decision seems like the cheapest approach. Having dozens of contact
> points for umpteen different lists seems like a sure-fire recipe for
> disaster.
>

It is good to talk of root causes.    If you misdiagnosis the problem
then it is not surprising that the proposed remedy will be
ineffective.  Security reports come from security reporters.  Can you
tell us whether "Red Hat, Inc. security researcher Huzaifa
Sidhpurwala" is a TDF member and whether he was reporting this issue
under instructions from TDF?  I don't see him listed as a TDF member
[1], not do I see him ever having posted to the LO dev mailing list
[2].  So this is a typical example of an independent security report
that a project might get.   In most cases it is coming from someone
unrelated to the project and unrelated to kindred projects.  It will
rarely come from someone who is already on your security list.
Receiving reports such as this has absolutely nothing to do with
"years of trust and co-operation". It has everything to do with being
clear on where such reports should be submitted.

As mentioned before, submitting such reports to Apache is entirely
voluntary.   If such reports are not sent to Apache, it can be from
lack of information or lack of will.  I trust that my previous email
provided the necessary information.  You will not be able to claim in
the future that you do not know how to submit a security report to us,
or that it is the result of "miscommunication".  Of course, I cannot
provide the will.  But at least we'll be clear about "root causes" in
the future.

No objections if you want to start a separate invitation-only security
discussion list.  It would probably get some use.  But we'll continue
to ask for security reports to come to ooo-security.i.a.o.  You have
your own private security list for TDF as well, right?  So I don't see
reason for your hysteria about ooo-security when you have your own
private list as well.

[1] http://www.documentfoundation.org/foundation/members/
[2] http://lists.freedesktop.org/archives/libreoffice/


-Rob

Mime
View raw message