Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Reply-To: <orcmid@apache.org>
From: "Dennis E. Hamilton" <orcmid@apache.org>
To: <ooo-dev@incubator.apache.org>
Cc: "'Michael Meeks'" <michael.meeks@suse.com>
References: <1319037389.83728.YahooMailMobile@web113502.mail.gq1.yahoo.com>
 <CAA4ffp8Ds25ExcE9O_GTR0h3id6m2ZCNMRxDne57kt-gtpvj_w@mail.gmail.com>
 <4E9EEF8B.4020105@shanecurcuru.org>
In-Reply-To: <4E9EEF8B.4020105@shanecurcuru.org>
Subject: RE: Neutral / shared security list ...
Date: Wed, 19 Oct 2011 14:56:03 -0700
Message-ID: <018901cc8ea9$e63baeb0$b2b30c10$@apache.org>
MIME-Version: 1.0
Thread-Index: AQGZat9hMlHxRJNC/NflX3ZZ9vrKEAHAYUNPAYhQ/AKV0C1HEA==
Content-Language: en-us
Content-Type: multipart/signed;
	micalg=SHA1;
	protocol="application/x-pkcs7-signature";
	boundary="----=_NextPart_000_0185_01CC8E6F.3550E5F0"

------=_NextPart_000_0185_01CC8E6F.3550E5F0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: 7bit

It is a little difficult to figure out where to reply on this thread, but I am 
mostly aligned with Shane and the response from Simon.

THE PRESENT STATE OF AFFAIRS

First, since the earlier conversation and the exchange that Michael Meeks 
mentions in his restart of this thread today, Martin Hollmichel added Rob Weir 
as an additional moderator on securityteam@ OO.o.  I privately requested being 
added to that list as a subscriber so that there is more coverage from 
ooo-security@ i.a.o, although I don't know if that has been accomplished.

Also, ooo-security@ i.a.o is subscribed to securityteam@ OO.o.  So, there is a 
way to receive everything that goes to securityteam@ and there are enough of 
us who should be able to ensure that anything of mutual importance that 
ooo-security@ learns of can be reported to securityteam@.

There is now a degree of shared oversight on the securityteam@ list that 
should work going forward as tuning is done.

I believe this is preferable to making a new place and having to construct a 
new securityteam, for many reasons including the security of securityteam@ 
itself.

THE FAILING/DESIRED STATE?

The preceding steps were taken around October 10-13 on the urging of Apache 
mentor(s) that action had been delayed too long and the cross-connection on 
common territory needed to be cleaned up ASAP.  I think that's been 
accomplished well enough for now.

This does raise some issues.

First, perpetuation of securityteam@ OO.o depends on preservation of that 
e-mail list and its operation when the OpenOffice.org domain comes under 
Apache custody.  If, instead, securityteam@ OO.o has to be abandoned, an 
alternative community-common location will have to be created.

If securityteam@ OO.o is preserved, I believe the oversight of security@ 
apache.org and the care of Apache infrastructure is a bonus.  The ASF 
attention to security and commitment to the security and safety of the sites 
in its care is valuable.  It is well-established.  The strength of the 
security@ team is a related bonus.  There is a highly-experienced and 
qualified team in a position to ensure that securityteam@ is secured and also 
operated in a reliable and even-handed way.

I had preferred, myself, that any ASF contribution of moderation and 
administration, along with that provided by others, come from security@ a.o 
rather than anyone on ooo-security @ i.a.o.  I think security@ is more 
credible as a neutral party.  ASF has no issue with how many different office 
suites there are, how many open-source office suite projects there are, and 
what the variety of releases and distributions might be.  So I think it is a 
superior earnest from ASF to have security@ take a hand to ensure that 
security comes first and that competitive instincts will have no influence. 
On the other hand, security@ already has oversight on everything that happens 
on ooo-security, including anything ooo-security receives automatically from 
securityteam@ OO.o.  I think that is good enough, but it might not be 
perceived to be by those who need to be able to trust in securityteam@ OO.o.

If securityteam@ OO.o cannot be preserved, then an alternative arrangement 
will have to be made no matter what.  Then I think it is important that 
Michael Meek's latest proposal be brought to the front.  Even if Apache 
hosting and infrastructure is chosen as a proven way to have assurance of 
available and secure sites and lists, it might be better to not use an 
apache.org domain name for it.

 - Dennis

-----Original Message-----
From: Shane Curcuru [mailto:asf@shanecurcuru.org]
Sent: Wednesday, October 19, 2011 08:41
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

On 10/19/2011 11:28 AM, Simon Phipps wrote:
> On Wed, Oct 19, 2011 at 4:16 PM, Pedro Giffuni<pfg@apache.org>  wrote:
>
>>   -1
>> The Apache Foundation *IS* neutral.
>> Beyond the evident open wounds the previous relationship with SUN/Oracle
>> may have left in the community, the OpenOffice.org domain is the natural
>> reference for longtime users and the developers of the many forks.
>>
>
> I agree, but the problem is one not of the neutrality of the trademark owner
> but rather the practical neutrality of the administration of the shared
> list.  Is the project happy for the list administration to be shared with
> others outside Apache?
>
> If so (and if it actually happened!) I would share your vote and re-iterate
> my earlier proposal that securityteam@openoffice.org be used.
>
> S.

I'm confident that the Apache security team and specific members of AOOo
PPMC could arrange a suitable adminstration structure to satisfy any
reputable security-minded contributor in the OOo world.  While some of
us may have significant differences elsewhere, I hope (and presume) that
we all take security seriously enough to do it correctly.

And given that the existing s@oo.o email address is already plastered
over archives and search results and millions of user's existing
installs, keeping the same email address is a huge bonus in terms of
capturing security issues from less technical end-users.

In terms of reliability, that should not be an issue once we are hosting
the mailing lists at the ASF and the Apache infra team has full access
to maintain the lists up to the same standards as our other lists.

- Shane

------=_NextPart_000_0185_01CC8E6F.3550E5F0
Content-Type: application/pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO+zCCA90w
ggLFoAMCAQICDh2iAAEAAuy3YIB4jbYGMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2
ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJMB4XDTA2MDMy
MjE1NTQyOFoXDTI1MTIzMTIyNTk1OVoweTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0
Q2VudGVyIEdtYkgxJDAiBgNVBAsTG1RDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQTEmMCQGA1UE
AxMdVEMgVHJ1c3RDZW50ZXIgVW5pdmVyc2FsIENBIEkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCkdyOWRK+Q9DGnEPQmh5zzONkPXt7PQegxrcZ0kSSWeB4JoJualUpK9WJ8AqjKrPta
BHY53l/x+bO/8wNYVdKqt+MEItH4lNoiCACN03wmXcx3eecseDmoJnMOol0laYVPVQ6a78a5ROFX
Pd8fVCLlb2WqM4Q68856vlWXro0SDxQz4lBww0mHE7xR3teYElrvOoMzkgZ1i5J8Emh7cGoPtZu2
d1tIWZ3k71qt88Ge1NdFTspWNCG8Phdbb3cMSAFDKbDdP5Zu5pWqDMAgtv0+Niec41zPToHcGbuR
kH3s5pcEHpPMIknXl4a2Ewo8QyN3fvDc5s0kHzuDmzQ6gzTjAgMBAAGjYzBhMB8GA1UdIwQYMBaA
FJKkdSyknr6BROt5/IrFlaXrEHVzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0G
A1UdDgQWBBSSpHUspJ6+gUTrefyKxZWl6xB1czANBgkqhkiG9w0BAQUFAAOCAQEAKNLghtXm+Hvw
l9wiazuVFFYPETClmk86sDrgBstl9e3Glyf+JfJX5l6VjD5kYBVafy8NAcWxYP1FNc/wsr8G2e9a
vrNiIbTXqzV8Uz6mJ/GhLdoaI53M3ew8LZ4nNF0PwjZ5vMlKYi3ta9l9QUN8tqrK7WGxN4IVCRqK
FjDY7MnWR3J4SxBGFI5fDq/sxy+rENe28W7shrLC6A2Sc9yi9A86v2EjEImcSEBucACz07o3RFgR
egJqiPA3NPAZ6azUZXP2aYxklDp5hSmwFisMgj8GnMf9ECueDyy2nuMVv9k2HLolGlI9GuwiDBzg
pKI98Og5z4HAe+1dH2/F0AvXmDCCBTowggQioAMCAQICDnw3AAEAAgGiRjsQUopPMA0GCSqGSIb3
DQEBBQUAMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl
ciBDbGFzcyAxIEwxIENBIElYMB4XDTExMDYxODIxNDgyNFoXDTEzMDYxODIxNDgyNFowJzELMAkG
A1UEBhMCVVMxGDAWBgNVBAMTD0Rlbm5pcyBIYW1pbHRvbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJU1EQFN4euAxgnjTqpiew/HZPwNvP259s+3haAfX4eaW3c0it19mmDhyvvkz9u8
OplXHknbhPq3Cs9giqgIWNTkm6JHlH3nN8zsFtm9sgjqIfozwn2aUOViEQ9isrCjTqXoyTqxmzna
jqMIbBP5iJIXlMgdO6XxCEV7wjc3GMllOLhm6aBUruvCsATP07m6WpmnmPYVgoGmB8SkYrSBLzuV
Fusxs1noLmZvNdwwln4O52pAioxvlvwEDoOoRZrwFfhDbJf2bcICPyuihtBQEF1/7Q1uB2Fv1krf
IsKUjL+2XvAO9lo/VfH3b599O1vF+XyIvcmAyHNyQ/ZmGaBCRVkCAwEAAaOCAg0wggIJMIGlBggr
BgEFBQcBAQSBmDCBlTBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy50cnVzdGNlbnRlci5kZS9jZXJ0
c2VydmljZXMvY2FjZXJ0cy90Y19jbGFzczFfTDFfQ0FfSVguY3J0MEAGCCsGAQUFBzABhjRodHRw
Oi8vb2NzcC5peC50Y2NsYXNzMS50Y3VuaXZlcnNhbC1pLnRydXN0Y2VudGVyLmRlMB8GA1UdIwQY
MBaAFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMAwGA1UdEwEB/wQCMAAwSgYDVR0gBEMwQTA/BgkqghQA
LAEBAQEwMjAwBggrBgEFBQcCARYkaHR0cDovL3d3dy50cnVzdGNlbnRlci5kZS9ndWlkZWxpbmVz
MA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUQzEGdPGl57ILlQ67+jGDa5fh6G4wYgYDVR0fBFsw
WTBXoFWgU4ZRaHR0cDovL2NybC5peC50Y2NsYXNzMS50Y3VuaXZlcnNhbC1pLnRydXN0Y2VudGVy
LmRlL2NybC92Mi90Y19DbGFzczFfTDFfQ0FfSVguY3JsMDMGA1UdJQQsMCoGCCsGAQUFBwMCBggr
BgEFBQcDBAYIKwYBBQUHAwcGCisGAQQBgjcUAgIwHAYDVR0RBBUwE4ERb3JjbWlkQGFwYWNoZS5v
cmcwDQYJKoZIhvcNAQEFBQADggEBAA4NlOcSK2/1FG+kp4NlVc8UMzYxzhuTxbcsaV56nVKA268a
4ZRhOjg3h6BV3A2sSZPHjaJQqdmxUeMhXOW5hn8DIin1TKArU2euZ70ASwIA1e4hqmHZ1q0ehVki
t04Ljoq9SIBFsKzgpIycmzPY29CNRo5G8DH6Q3ZasCJVoDRcLBoWxAYWKSVSarG4F9dED3q9Eg9M
4DDVbpuAhVoL7nG8LInYDMuLw6suP/PDcHwD46qFzlJq8QiA5M2ohuY8Db6ug0r2UsWCoAb/SFQY
9IQvxbM6N2rg8IbyIS74yGuFBucrInf14g9JQwdou/wVypvOcmQXR6a6R77REHQOU28wggXYMIIE
wKADAgECAg4G6AABAAJKli0kDP7FyTANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJERTEcMBoG
A1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDEkMCIGA1UECxMbVEMgVHJ1c3RDZW50ZXIgVW5pdmVy
c2FsIENBMSYwJAYDVQQDEx1UQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0EgSTAeFw0wOTExMDMx
NDA4MTlaFw0yNTEyMzEyMTU5NTlaMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENl
bnRlciBHbWJIMSUwIwYDVQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQD
Ex9UQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBIElYMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu+aQbs9i6ekLqrYQ1UflfF0rJ3GaaM1VbeSi7+T+8npjEcJXish9z45mH2VFS+uA
Ymm9Ro6LxW5alRgq3qfxH3UaJ6ttMlPj+01YYiz/GeXHoA2aLSGIWYTNHfHDyIo+sOXeCCTP/EAs
ukEjlLuAEok1SLaGBOABT4y6qZj8HIntH4qhx4aYJh5yZWv+z2XZDGRLGgn1QxFgZibjM1aayT0+
NGp4xuVQS8jNiOQ5bFAmnkAstjt8N7Kn9d3cs1HL9NyCArjXOt7aMFwN9ULdE2lTVOmAJkIzHqXX
zG7KZgmfhvA9vsaKYRDz0f9b5LLbLbJlDKl9F6y6J01CXM4JTwIDAQABo4ICWTCCAlUwgZoGCCsG
AQUFBwEBBIGNMIGKMFIGCCsGAQUFBzAChkZodHRwOi8vd3d3LnRydXN0Y2VudGVyLmRlL2NlcnRz
ZXJ2aWNlcy9jYWNlcnRzL3RjX3VuaXZlcnNhbF9yb290X0kuY3J0MDQGCCsGAQUFBzABhihodHRw
Oi8vb2NzcC50Y3VuaXZlcnNhbC1JLnRydXN0Y2VudGVyLmRlMB8GA1UdIwQYMBaAFJKkdSyknr6B
ROt5/IrFlaXrEHVzMBIGA1UdEwEB/wQIMAYBAf8CAQAwUgYDVR0gBEswSTAGBgRVHSAAMD8GCSqC
FAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LnRydXN0Y2VudGVyLmRlL2d1aWRlbGlu
ZXMwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTpuCgdRs/8zfhOm8XuS2Dr2Ds/0TCB/QYDVR0f
BIH1MIHyMIHvoIHsoIHphkZodHRwOi8vY3JsLnRjdW5pdmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUv
Y3JsL3YyL3RjX3VuaXZlcnNhbF9yb290X0kuY3JshoGebGRhcDovL3d3dy50cnVzdGNlbnRlci5k
ZS9DTj1UQyUyMFRydXN0Q2VudGVyJTIwVW5pdmVyc2FsJTIwQ0ElMjBJLE89VEMlMjBUcnVzdENl
bnRlciUyMEdtYkgsT1U9cm9vdGNlcnRzLERDPXRydXN0Y2VudGVyLERDPWRlP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT8wDQYJKoZIhvcNAQEFBQADggEBADnIxJvuvpjuSHJvjedxtg6Q
jNOywRUhqEaQaF9KBPE6yWiEIdil5gR1XZ/S1PJLd0My3JXLYL8CVdCsHLDFFJebZQrDD6Ud7NhJ
OZW1qb769B6rVuem5QEIiDVfZwXdRCRQEiJEY3nxm1dpzqvWM1FPjfBwO46tUToXfzWWa2hoY7Yc
Csn43x1ezysRpWPtzNDG0yBvqvxoSH5tHrg6RaoShvPHvQC16/7qEp9zM3jnKDlo06Vt2nbRTuFV
lYCm4Bu4zaxW70VZR5hS2zpuJrIxOWl1sS4k8KSdl4heMynGtbwHQDoMPbrPdIxLTnoh+hs4zcRD
L2+033jumZLnOhwxggQLMIIEBwIBATCBjjB8MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1
c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYG
A1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBMMSBDQSBJWAIOfDcAAQACAaJGOxBSik8wCQYF
Kw4DAhoFAKCCAlEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEx
MDE5MjE1NTU3WjAjBgkqhkiG9w0BCQQxFgQU2XG+hNej/46Gc+O4K5su+aH0EmAwgZ8GCSsGAQQB
gjcQBDGBkTCBjjB8MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDEl
MCMGA1UECxMcVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQSBJWAIOfDcAAQACAaJGOxBSik8wgaEGCyqGSIb3DQEJEAILMYGR
oIGOMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL
ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD
bGFzcyAxIEwxIENBIElYAg58NwABAAIBokY7EFKKTzCBqwYJKoZIhvcNAQkPMYGdMIGaMAsGCWCG
SAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqGSIb3DQMC
AgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjALBglg
hkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQAGL3ut
wnmkgMBdKzw3Zgt2Ly1wxIHGkGwQFb6LTyXiW3j02hfIozS69kjaOW2ui/G9KPp7xk6QHLGKbzcM
g2VNWi9Zeh2QTrqFtZe477bZgVXui5pc4/ZoI5N8GVPaocD01Vf/dpyr5jl7Zo6oNI+dgKDOQK4l
IIwLWL36XmalIoW5zjVfIptDQy8wNCxoCW2YkT/J8OAGpKAdLwSADm5jssdxL32VNWMVzJJwa0zg
wbVDLh10xMnY+Vzx39KdVIw89CAvNb/9wnIYaW2Kf0dpGT0aggTag8UW5ddOgDBYVL9av/AdU4Wt
QqAQyHv57eBRhVIWOol9Ju62HQ8GWUlIAAAAAAAA

------=_NextPart_000_0185_01CC8E6F.3550E5F0--