Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1CF4B9352 for ; Wed, 19 Oct 2011 23:19:39 +0000 (UTC) Received: (qmail 97048 invoked by uid 500); 19 Oct 2011 23:19:38 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 96984 invoked by uid 500); 19 Oct 2011 23:19:38 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 96975 invoked by uid 99); 19 Oct 2011 23:19:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 23:19:38 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of simon@webmink.com designates 209.85.216.47 as permitted sender) Received: from [209.85.216.47] (HELO mail-qw0-f47.google.com) (209.85.216.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 23:19:30 +0000 Received: by qam2 with SMTP id 2so1866328qam.6 for ; Wed, 19 Oct 2011 16:19:09 -0700 (PDT) Received: by 10.224.210.194 with SMTP id gl2mr7174428qab.35.1319066348066; Wed, 19 Oct 2011 16:19:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.67.194 with HTTP; Wed, 19 Oct 2011 16:18:48 -0700 (PDT) X-Originating-IP: [81.2.79.172] In-Reply-To: <018901cc8ea9$e63baeb0$b2b30c10$@apache.org> References: <1319037389.83728.YahooMailMobile@web113502.mail.gq1.yahoo.com> <4E9EEF8B.4020105@shanecurcuru.org> <018901cc8ea9$e63baeb0$b2b30c10$@apache.org> From: Simon Phipps Date: Thu, 20 Oct 2011 00:18:48 +0100 Message-ID: Subject: Re: Neutral / shared security list ... To: ooo-dev@incubator.apache.org, orcmid@apache.org Cc: Michael Meeks Content-Type: multipart/alternative; boundary=20cf300fac891c970104afaf1118 --20cf300fac891c970104afaf1118 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Oct 19, 2011 at 10:56 PM, Dennis E. Hamilton wrote: If securityteam@ OO.o is preserved, I believe the oversight of security@ > apache.org and the care of Apache infrastructure is a bonus. I disagree. Having an arbitrary steward - regardless of their excellence - is not the way to sustain (or indeed rebuild) trust. The correct oversight is the list-members themselves. OUTLINE PROPOSAL: Thus I'd propose (in outline): * That securityteam@openoffice.org be used as the shared meta-community security contact list for projects deriving their source code from the former Sun-led OpenOffice.org project. The list would be used for any valid meta-community security matter including especially announcement co-ordination. * That the list should be private to list members (and with the consent of the list, to their project's private security list), with mutually agreed confidentiality, and populated only with people known to the majority of the list members as bona-fides security-related developers. * That the list be populated only with the consent of the existing list members (suggested process: a list member proposes a new list member with a brief explanation why they are a good-faith and experienced security developer in the meta-community. Code-modification-style voting takes place. A moderator adds the new member. In the event of mishap, list members may be removed using the same process). * Agreeing who the moderators should be by list-member consensus I'm sure this needs fleshing out by someone more process oriented, but I suggest this outline represents a workable compromise. Regards S. --20cf300fac891c970104afaf1118--