incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: [proposal] Neutral / shared security list ...
Date Tue, 25 Oct 2011 23:19:52 GMT

On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:

> On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> Oh, and the most important part:
>> 
>> In want way is the AOOo party to the consensus that is reached?  That ooo-security
(an agent of the PPMC, essentially) will participate in the described community arrangement
if established? Something else?
>> 
> 
> It would be good to also include in the proposal how IP will be
> treated.  By my reading of the iCLA this would not be covered, since
> it is not an Apache list.  We'd need to make some other agreement,
> take it to legal-discuss, etc.

I'm not so sure.

ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible.
If the shared security group is not producing compatible IP in response to a security threat
that is a different problem. If it happens often then ooo-security will need to discuss this
with ooo-private.

We can make it a mission statement of this group to help all the peers produce fixes that
are compatible with their licenses. I don't think we can guarantee all individuals on the
team will be able to always do so. Requiring such an affirmation is clearly a blocker for
some individual's participation.

Regards,
Dave

> 
>> I think that would be essential to bringing this to a successful conclusion.
>> 
>> -----Original Message-----
>> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
>> Sent: Tuesday, October 25, 2011 15:45
>> To: 'ooo-dev@incubator.apache.org'
>> Cc: 'Dave Fisher'
>> Subject: RE: [proposal] Neutral / shared security list ...
>> 
>> Dave, if you are going to do that, just relabeling a thread is not helpful.
>> 
>> Please compose a specific concrete proposal under a [DISCUSS], and announce the duration
and end-time for a lazy consensus at the top.
>> 
>> Give it at least 3 full 24-hour calendar days.
>> 
>> I don't have any sense that there is alignment yet, but there may be in that time
and I am happy to be mistaken.  Then at the end, if there is a consensus, please report what
it is.
>> 
>>  - Dennis
>> 
>> -----Original Message-----
>> From: Dave Fisher [mailto:dave2wave@comcast.net]
>> Sent: Tuesday, October 25, 2011 15:35
>> To: ooo-dev@incubator.apache.org
>> Cc: floeff@documentfoundation.org
>> Subject: Re: [proposal] Neutral / shared security list ...
>> 
>> Hi -
>> 
>> Sorry to reply to myself.
>> 
>> Even though there are choices in this email. Please view it as a proposal. Where
we are seeking lazy consensus.
>> 
>> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
>> 
>>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
>>> 
>>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <dave2wave@comcast.net>
wrote:
>>>> 
>>>>> 
>>>>> Agreed. We need to pick a neutral domain name. office-security.org is
>>>>> apparently free.
>>>>> 
>>>>> Some institution needs to buy domain registration. I've been the volunteer
>>>>> registrar for a social groups domain, it is a pain to transition. This
needs
>>>>> to be an institution, it could be Team OOo?
>>>>> 
>>>> 
>>>> I think they are too close to the matter.  SPI exists specifically to hold
>>>> assets in trust - perhaps they would hold the registration for us all?  If
>>>> we agree I'd be happy to volunteer to contact them.
>>>> 
>>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are both
>>>> on the Board at present.
>>> 
>>> These are both interesting ideas.
>> 
>> The proposal is to pick a domain and get registration  Simon volunteers to help.
>> 
>> 
>>> 
>>>> 
>>>> 
>>>>> 
>>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests
>>>>> that the ASF could be that ISP for free.
>>> 
>>> <slight snip/>
>>> 
>>> And:
>>> 
>>> <insert>
>>> 
>>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
>>> 
>>> <snip/>
>>> 
>>>> 
>>>> If we basically agree that such a list as outlined by me is a way to go,
I am happy to ask a friend of mine who has a very good reputation in being a mail server,
mailing list and security expert, with a very good track record, including all sorts of certifications.
He is offering e-mail services as business.
>>>> 
>>>> I just don't want to spread the name publically without asking him first,
and I don't want to ask him, before we have some common understanding. :-)
>>>> 
>>> 
>>> 
>>> </insert>
>> 
>> The proposal is for the exiting securityteam to choose, the above are two possibilities.
>> 
>> 
>>> 
>>> 
>>>>> 
>>>>> securityteam@oo.o is migrated to whatever the new list is, and those
>>>>> people start administrating.
>>>>> 
>>>>> I think it is very important for the public to know who all of the projects
>>>>> are on the shared ML.
>> 
>> I propose that this shared security team provide a list of participating peers to
the public.
>> 
>>>>> 
>>>>> Are we done already :-)
>>> 
>>> Let's let the world revolve to see if we have some Consensus.
>> 
>> Revolve 3x or 72 hours.
>> 
>> Regards,
>> Dave
>> 
>>> 
>>> Regards,
>>> Dave
>>> 
>>>>> 
>>>>> Regards,
>>>>> Dave
>>>>> 
>>>>>> 
>>>>>> That is fair to anyone, does not exclude anyone, does not benefit
one
>>>>>> over the other -- it's easy, simple, and the best way to go. Sure,
>>>>>> everyone can create own aliases pointing to that list, but the core
is
>>>>>> the same, and that's what matters.
>>>>>> 
>>>>>> If you folks now start complaining about we don't trust Apache, we
can
>>>>>> answer by complaining you don't trust TDF and so on. It's a horrible
>>>>>> waste of time, it's lame, it does not help anyone, and it makes me
doubt
>>>>>> we're talking amongst adults, seriously.
>>>>>> 
>>>>>> And, really, all this crap being tossed around about trustworthiness,
>>>>>> upstream, downstream, code similarities and insults is worth not
even
>>>>>> the digital paper it's written on.
>>>>>> 
>>>>>> I made a simple, plain, and easy proposal. Don't make things overly
>>>>>> complicated, folks.
>>>>>> 
>>>>>> Thanks for considering,
>>>>>> Florian
>>>>>> 
>>>>>> --
>>>>>> Florian Effenberger <floeff@documentfoundation.org>
>>>>>> Steering Committee and Founding Member of The Document Foundation
>>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108
>>>>>> Skype: floeff | Twitter/Identi.ca: @floeff
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> Simon Phipps
>>>> +1 415 683 7660 : www.webmink.com
>>> 
>> 
>> 


Mime
View raw message