Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6BFD8995A for ; Tue, 25 Oct 2011 19:31:44 +0000 (UTC) Received: (qmail 86040 invoked by uid 500); 25 Oct 2011 19:31:44 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 85959 invoked by uid 500); 25 Oct 2011 19:31:44 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 85951 invoked by uid 99); 25 Oct 2011 19:31:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2011 19:31:44 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 98.139.44.157 is neither permitted nor denied by domain of kay.schenk@gmail.com) Received: from [98.139.44.157] (HELO nm30.access.bullet.mail.sp2.yahoo.com) (98.139.44.157) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 25 Oct 2011 19:31:33 +0000 Received: from [98.139.44.97] by nm30.access.bullet.mail.sp2.yahoo.com with NNFMP; 25 Oct 2011 19:31:12 -0000 Received: from [98.139.44.85] by tm2.access.bullet.mail.sp2.yahoo.com with NNFMP; 25 Oct 2011 19:31:12 -0000 Received: from [127.0.0.1] by omp1022.access.mail.sp2.yahoo.com with NNFMP; 25 Oct 2011 19:31:12 -0000 X-Yahoo-Newman-Id: 327687.15946.bm@omp1022.access.mail.sp2.yahoo.com Received: (qmail 12013 invoked from network); 25 Oct 2011 19:31:11 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1319571071; bh=UXbv/DxpAf/cdSlBVtkmKr9ujioUcA2Q+28hATExco0=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=e1ekHUkp9JhgRP52SCcj40IUiUcnVY1efr1v3oltNztlmAwKWgLnDY5Ntk+XBE228nXY2X1euo1DfYaK8j/Vge1+HhoL1qZOcdiNRgqjg3CzQxjfwi0F0ljjFxIu6zfvqjfCZNYCMX2ViYPczNQ9Yw0wo5X0LziDCR/UZQaG7pM= X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: tZJEePQVM1mEJ8lxhe9IKeryjzfkDilIDeB1RShyPgi1qyL hJ4Iud72qrmaXH_DWLlXJfa8QvLKlX3OmWixF2htx2CxouuySmvWlwFvuFLd _Jz47qwBvrLvgHQXrx6NWt_1z_mkAPaUWIXr62_6quDNVdTWNqeWhjGFGDJd kQzAPRKltgCV9ESEr0qwuKhxrUjY_6gsz5oZQzsJDYJlVjRPWWncEiIbtRpw avtiwfAosmrh9zLPpAr9zmOVemvE4pK4j0ejdlQFS_jEQQOmlSHS7tbmOVbY A72ke3mO8j4gAgw4jUAU4i9g4HNNkg_Nj37vCF1sXB_ytz8c4J2QpVEmoEZo .ulaEukNeJ3RxEoY6d_j3Y92YAHCEdaMERscYpJQjEh91rjtN25lbKDGAbdu hBjfM0OoNEIkISB.DjZtjX6uH8JrVn5vXypTL6i5I8W8hWHrxXLh3IQxsPPM OHF_iQQP4tQq589Ik7rhMaoIHCShU3dcuRyIFGYfT6uLYIew_5xPjtG4- X-Yahoo-SMTP: dHt73eiswBAYjuZ6oL.TTjbe.KQkAIve Received: from [192.168.1.109] (kay.schenk@69.224.71.61 with plain) by smtp101.sbc.mail.ne1.yahoo.com with SMTP; 25 Oct 2011 12:31:11 -0700 PDT Message-ID: <4EA70DEB.6000607@gmail.com> Date: Tue, 25 Oct 2011 12:28:43 -0700 From: Kay Schenk User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110920 SUSE/3.1.15 Thunderbird/3.1.15 MIME-Version: 1.0 To: ooo-dev@incubator.apache.org Subject: Re: [Proposal] Security coordination without a shared list References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 10/25/2011 09:08 AM, Rob Weir wrote: > There is an easy way to avoid all the trust issues with regards to > shared mailing lists. Don't have such a list. Trust individuals. > This proposal takes this approach. Actually I personally like this idea. Why? There have been many statements/testimonies to the fact that the LO contains a great deal of code that is NOT in any of the OOo releases, and is now quite different. And, presumably, the LO development will continue to be different enough to warrant it's own separate universe of mailing lists. I think at some point if we decided we really truly wanted to have a shared security list, it would become very difficult to determine who was the responsible party for the grievances. I might be exaggerating the problems since I'm not a developer, but, then again, maybe not. So, although I'd love to see us work more closely with LO, I believe separate security lists are in order. > > 1) The AOOo PMC solicits the names of security contacts from related > projects who wish to be consulted related to pre-disclosure > coordination related to analysis and resolution of reported security > vulnerabilities. Names of individuals are preferred over opaque > mailing lists. Trust can be established based on a PGP/GPG web of > trust. These names and addresses are stored confidentially in the > PPMC's private SVN directory. > > 2) The AOOo security team reaches out to these contacts, as > appropriate,v ia their preferred contact mechanism, to coordinate on > specific vulnerabilities. We (Apache) would cc ooo-security on our > external emails, as required by Apache policy [1]. > > 3) Other groups would be encouraged to reach out to AOOo in similar > circumstances via our preferred contact mechanism, ooo-security. > > 4) This fully allows targeted collaboration on specific issues, via > each project's preferred contact mechanism, without requiring the > maintenance of an additional email list. > > 5) If we want to discuss security in general, then that can/should > happen on public dev lists. That public discussion could occur > anywhere. > > > [1]: http://www.apache.org/security/committers.html -- ------------------------------------------------------------------------ MzK "This is no social crisis Just another tricky day for you." -- "Tricky Day", the Who