incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Neutral / shared security list ...
Date Tue, 25 Oct 2011 16:49:04 GMT
Rob,

Some points and a slight criticism about your style which is to put it mildly an acquired
taste.

On Oct 25, 2011, at 8:41 AM, Rob Weir wrote:

> On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher <dave2wave@comcast.net> wrote:
>> Hi Michael,
>> 
>> On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:
>> 
>>> Hi Dave,
>>> 
>>> On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
>>>> Not sure how much this is like your original proposal, but maybe the
>>>> following is acceptable:
>>>> 
>>>> (1) The securityteam@openoffice.org continues.
>>> 
>>>       As mentioned, not happy about an openoffice.org domain; LibreOffice is
>>> not openoffice.org, that is not really neutral.
>> 
>> Understood. It is a requirement for a neutral address. On our side it is a desire
for the same address

Rob - you've been misquoting Michael about neutral. Here he expressed his view succinctly.

I also think you might have finally have made clear about what you mean by "neutrality" in
your exchange with Florian. I think you mean a measure of trust, but verify.


<snip>

>>> 
>>>       So - I am still fairly firmly convinced that this security thing is not
>>> going to pan out. Here is my potted history of it:
>>> 
>>>       * initial request for continuing the traditional,
>>>         friendly cross membership of security lists
>>>               + turned down at AOOoI: Apache Committers only
>>>       * requests for a neutral list with neutral name turn into:
>>>               + ASF & openoffice.org -are-neutral-; proof by assertion
>>>       * more compromise proposals arrive
>>>               + these have high level ASF governance hard-wired
>> 
>> I can see how you would perceive the history this way.
>> 
>> I think it would help to have a single ML and I think that is more important than
the address. securityteam@openoffice.org can be made to forward to that address if necessary.
>> 
>>>       This doesn't make it seem like we're going anywhere productive, which
>>> is fine - there is no huge problem with having two separate public
>>> facing security lists that can have cross membership on them.
>>> 
>>>       Since there is no TDF affiliated admin for the currently suggested,
>>> Apache controlled, 'neutral' security list, extracting a membership list
>>> of that would be appreciated - so we can mirror it in a suitable other
>>> place.
>> 
>> It would be good for the AOOo PPMC to see this list as well. I think that the actual
membership should be shared in private. Would someone with appropriate karma on the OOo MLs
please provide this.
>> 
> 
> -1 to that.  Sharing subscriber lists with other organizations is a
> violation of trust and violates personal data protection.

-1 is anti-social. -1 to your -1. Please stop these -1s. You don't win any friends this way.
You drive people away. I had to waste time being annoyed.

> However, if someone wants to send a note to securityteam, inviting
> members to subscriber to another list, as an opt-in, that would
> address those concerns.

If the AOOo podling is responsible for the governance of the securityteam@oo.o list then it
deserves to know who the heck is on the list.

If the "PEER" constituents of a shared securityteam@oo.o (or whatever list is decided) cannot
know the membership of that list then then the project should have zero to do with that list.

I know that the situation is not this extreme, but your -1s invite extreme reactions.

> 
> But it would be good to think this through, and see if we can avoid an
> infinite regress of mailing lists.  We already have ooo-security and
> tdf-security and securityteam.  Are we really going to create a 4th
> one based on one person's irrational distrust of Apache?  What if we
> create that list and someone else expresses irrational distrust of
> that list?  (And don't say it could not happen).  And then the same
> thing with a 5th list?  I think it is easier just to work toward a
> security list with rational participants on it.

We are deciding what to do with securityteam@oo.o. Does it continue or is it replaced by another
list? We are NOT deciding on 4th or 5th lists. Put those cats back in your hat, they are distractions
for a rainy day. (Yes, I learned recursion from Dr. Seuss!)

Regards,
Dave

> 
> -Rob
> 
>>>       I'm also minded to consider the relative grief of endlessly re-hashing
>>> this issue vs. actually fixing whatever bugs are found. Can we not just
>>> move on.
>> 
>> You suggested: officesecurity@lists.freedesktop.org
>> 
>> The comment was that this was not an appropriate domain name as not all of the "Office
Space" is Linux. So, the open question is where the list is hosted.
>> 
>> Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't
it?
>> 
>> Regards,
>> Dave
>> 
>> 
>>> 
>>>       All the best,
>>> 
>>>               Michael.
>>> 
>>> --
>>> michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot
>>> 
>> 
>> 


Mime
View raw message