Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <020501cc901f$1edfa160$5c9ee420$@acm.org>
References: <00e501cc9003$af6a1b50$0e3e51f0$@apache.org>
	<1319216800.14345.75.camel@linux-yjtf.site>
	<018201cc9016$f31483f0$d93d8bd0$@apache.org>
	<49810.132.207.250.103.1319219447.squirrel@atcmail.atc.tcs.com>
	<020501cc901f$1edfa160$5c9ee420$@acm.org>
Date: Fri, 21 Oct 2011 14:33:39 -0400
Message-ID: 
 <CAP-ksohLF1SuXvRSbZeT8SQKrb4VBiVNepMya71WMgBkQp7kiA@mail.gmail.com>
Subject: Re: [DISCUSS] Neutral / shared security list proposal
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org, securityteam@openoffice.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Please continue the detailed governance topic only on securityteam@OO.o.

Out of respect for the TDF guys, I don't want them to feel that the
only way they can have a say in the governance of securityteam is to
have a public discussion on the AOOo dev list.  I've seem previous
posts from TDF members, in other contexts, where they expressed
concerns about such things.

This will be the last post on this topic I will forward to ooo-dev.
And I'd caution others against forwarding material from a private
list, like securityteam, to a public list, like ooo-dev.  It is very
dangerous to cross post like this between public and private lists.
Let's stop that.  Now.

-Rob


2011/10/21 Dennis E. Hamilton <dennis.hamilton@acm.org>:
> OK, I am going ahead and including securityteam@OO.o in this discussion, =
then all of us can see what's being discussed.
>
> I am adding the full text of what Michael was replying to as well.
>
> Simon proposes something more promising, from my viewpoint, beyond bilate=
ral ownership between AOOo and TDF. =C2=A0He is looking for a multilateral =
solution using securityteam@ OO.o, and this [DISCUSS] was started in respon=
se to Simon's proposal.
>
> There have been objections to this being only bilateral between AOOo and =
TDF. =C2=A0A multilateral approach is preferred for how the list conducts i=
tself and how participants are able to ensure coordination with their own p=
rivate security operations when an issue of common concern comes to light.
>
> Securityteam@ OO.o has a multilateral membership, I presume. =C2=A0That w=
as workable under Sun and OASIS custodianship and there is no reason to ass=
ume that ASF (not AOOo) is not a reliable custodian in that regard with reg=
ard to operational support, preserving security of the list, dealing with o=
utages, etc. =C2=A0This is not about what happens on the list, but fundamen=
tal IT operational support and the serious desire to ensure security and pr=
eservation for the list and its archives. =C2=A0ASF (not AOOo) has strong, =
enduring capabilities in that regard. =C2=A0It also manages an overall secu=
rity@ operation and supports the various security teams associated with ind=
ividual Apache projects.
>
> Since ASF has been granted the domain name, the continuation of securityt=
eam@ OO.o will come under ASF infrastructure operation at some point, in so=
me manner. =C2=A0If the list can be preserved using the already-known list =
address, that will be the least disruptive, operationally.
>
> How governance is dealt with on the list is independent of custodianship =
and has to be worked out whoever hosts the list. =C2=A0Commitment to multil=
ateral governance is not a JFDI.
>
> =C2=A0- Dennis
>
>
>
> -----Original Message-----
> From: Marc-Andr=C3=A9 Laverdi=C3=A8re [mailto:marc-andre@atc.tcs.com]
> Sent: Friday, October 21, 2011 10:51
> To: orcmid@apache.org
> Cc: ooo-dev@incubator.apache.org; michael.meeks@suse.com; 'lsecurity'; 'S=
imon Phipps'
> Subject: RE: [DISCUSS] Neutral / shared security list proposal
>
> I tend to go for the "just get it done" philosophy when we reach that poi=
nt.
>
> So let me summarize what that'd mean for me:
>
> - Michael registers us a neutral mailing list and both teams register 3-4
> folks
> - We stick with the 'old' ml with the suggested membership structure.
>
> Like, seriously... just get it done ;)
>
>> Excuse me Michael, the proposal I am referring to was offered by Simon
>> Phipps
>> and I included his message.
>>
>> If you don't want to accept the OUTLINE PROPOSAL or start from it as a
>> point
>> of discussion, that is fine. =C2=A0Just be clear that Simon's proposal w=
as the
>> one
>> that I was replying about and proposing be [DISCUSS]ed on ooo-dev too.
>>
>> I was hoping that Simon's good offices in mediating this would be
>> valuable.
>> Is that not acceptable?
>>
>> What I like about Simon's proposal is that it is the least disruptive, a=
nd
>> it
>> adds meritocracy and (private) transparency features to how
>> securityteam@OO.o
>> operates. =C2=A0I assume that the current securityteam@ OO.o list would =
be
>> grandfathered in. =C2=A0Why not?
>>
>> I pointed out in starting this [DISCUSS] thread that there is enough
>> connection from ooo-security so that ASF can be represented well enough =
in
>> discussion on securityteam@ OO.o to forward Simon's proposal, if there i=
s
>> agreement to do that. =C2=A0I don't see where anything about myself, Rob=
, and
>> Caolan are in the message you are responding to.
>>
>> With regard to how the list software works/might-not/doesn't, can these =
2d
>> and
>> 3rd order issues be deferred until the big questions are handled?
>>
>> =C2=A0- Dennis
>>
>> -----Original Message-----
>> From: Michael Meeks [mailto:michael.meeks@suse.com]
>> Sent: Friday, October 21, 2011 10:07
>> To: orcmid@apache.org
>> Cc: 'Simon Phipps'; ooo-dev@incubator.apache.org; lsecurity
>> Subject: Re: [DISCUSS] Neutral / shared security list proposal
>>
>> Hi Dennis & list,
>>
>> On Fri, 2011-10-21 at 08:11 -0700, Dennis E. Hamilton wrote:
>>> It is not something that can be done unilaterally here on the AOOo
>>> podling.
>>> Do you propose that this be discussed at securityteam@ OO.o? =C2=A0It w=
ould
>>> seem that is where consensus is required.
>>
>> =C2=A0 =C2=A0 =C2=A0 Last I checked only a few from TDF's security group=
 are on that list;
>> so it doesn't seem an ideal forum either. Lets just CC our security team
>> as I've done.
>>
>> =C2=A0 =C2=A0 =C2=A0 I am mildly amused by the convenient deployment of =
the argument type:
>> "we have always done it this way" from a project undergoing such a lot
>> of (in many ways positive) changes. Combine this with a world of
>> extraordinary possibilities such as: mail forwarding and the "mail
>> address is well known" bites the dust. There were many projects and
>> people I used to admire in the ASF, but claiming it is neutral in
>> today's world is not sensible.
>>
>> =C2=A0 =C2=A0 =C2=A0 I would like to see, and think it is reasonable to =
ask for:
>>
>> =C2=A0 =C2=A0 =C2=A0 1. a neutral domain / list name
>> =C2=A0 =C2=A0 =C2=A0 2. a comprehensive set of moderators / admins cf. p=
revious
>> =C2=A0 =C2=A0 =C2=A0 3. neutral hosting
>>
>> =C2=A0 =C2=A0 =C2=A0 It seems vs. the present that the ASF guys are sugg=
esting to compromise
>> on only one of these points (2.) ie. having two Apache supporters (Rob +
>> Dennis) as moderators, and one TDF guy (me or Caolan): is that right ?
>>
>> =C2=A0 =C2=A0 =C2=A0 At a big stretch, assuming there is no heavy-govern=
ance-petting
>> anywhere near it, I could cope with not having 3. ie. Apache hosting it
>> - after all, that is rather invisible [ but I personally loathe reply-to
>> mangling - I don't believe we would want that pushed onto us ].
>>
>> =C2=A0 =C2=A0 =C2=A0 So - where do we go from there ? it looks to me lik=
e no compromise is
>> possible (for some definitions of compromise). We could create two
>> 'neutral' mailing lists one at each side, with cross subscriptions to
>> our own security lists - but it all seems a bit pointless.
>>
>> =C2=A0 =C2=A0 =C2=A0 Regards,
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Michael.
>>
>> --
>> michael.meeks@suse.com =C2=A0<><, Pseudo Engineer, itinerant idiot
>>
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:orcmid@apache.org]
> Sent: Friday, October 21, 2011 08:11
> To: 'Simon Phipps'
> Cc: 'Michael Meeks'; ooo-dev@incubator.apache.org
> Subject: [DISCUSS] Neutral / shared security list proposal
>
> I'm not sure Simon noticed this. =C2=A0Here's a follow-up, with a fresh t=
hread.
>
> Simon, what is the next action on this proposal? =C2=A0It is not somethin=
g that can
> be done unilaterally here on the AOOo podling. =C2=A0Do you propose that =
this be
> discussed at securityteam@ OO.o? =C2=A0It would seem that is where consen=
sus is
> required.
>
> AOOo ooo-security follows that list, as I described previously. =C2=A0And=
 there
> appear to be at least three of us from the AOOo PPMC that are individuall=
y
> subscribed. =C2=A0So AOOo representation in the discussion can be assured=
.
>
> What's next?
>
> =C2=A0- Dennis E. Hamilton
> =C2=A0 tools for document interoperability, =C2=A0<http://nfoWorks.org/>
> =C2=A0 dennis.hamilton@acm.org =C2=A0gsm: +1-206-779-9430 =C2=A0@orcmid
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Wednesday, October 19, 2011 17:51
> To: ooo-dev@incubator.apache.org; orcmid@apache.org
> Cc: 'Michael Meeks'
> Subject: RE: Neutral / shared security list ...
>
> OK Simon, but I am talking about custodial responsibility too, not just t=
he
> manner in which list administration and moderation are handled.
>
> I personally have no objection to the governance you propose in your seco=
nd
> and third bullets. =C2=A0I have no idea how it is done right now, since I=
 am new to
> that list. =C2=A0However ooo-security has been receiving mail from that l=
ist since
> 2011-10-13 and I have not seen any governance discussions, nor any indica=
tion
> of additions to the list in any way.
>
> It seems to me that your proposal should go to securityteam@ as well [;<)=
. =C2=A0I
> assume there are enough individuals there that are empowered to hammer th=
is
> out.
>
> In that case, any intervention from ASF security@ observers of securityte=
am@
> would be if the house was on fire and from Apache Infra if the list was s=
een
> to be hacked or anything required immediate intervention, such as shuttin=
g
> down and restoring the list, anything else appropriate. =C2=A0These are o=
perational
> responsibilities that require someone with IT-operations level access to =
the
> equipment.
>
> Does that work better for you?
>
> =C2=A0- Dennis
>
> -----Original Message-----
> From: Simon Phipps [mailto:simon@webmink.com]
> Sent: Wednesday, October 19, 2011 16:19
> To: ooo-dev@incubator.apache.org; orcmid@apache.org
> Cc: Michael Meeks
> Subject: Re: Neutral / shared security list ...
>
> On Wed, Oct 19, 2011 at 10:56 PM, Dennis E. Hamilton <orcmid@apache.org>w=
rote:
>
> If securityteam@ OO.o is preserved, I believe the oversight of security@
>> apache.org and the care of Apache infrastructure is a bonus.
>
>
> I disagree. Having an arbitrary steward - regardless of their excellence =
-
> is not the way to sustain (or indeed rebuild) trust. The correct oversigh=
t
> is the list-members themselves.
>
>
> OUTLINE PROPOSAL:
>
> Thus I'd propose (in outline):
>
> * =C2=A0That securityteam@openoffice.org be used as the shared meta-commu=
nity
> security contact list for projects deriving their source code from the
> former Sun-led OpenOffice.org project. The list would be used for any val=
id
> meta-community security matter including especially announcement
> co-ordination.
>
> * That the list should be private to list members (and with the consent o=
f
> the list, to their project's private security list), with mutually agreed
> confidentiality, and populated only with people known to the majority of =
the
> list members as bona-fides security-related developers.
>
> * =C2=A0That the list be populated only with the consent of the existing =
list
> members (suggested process: a list member proposes a new list member with=
 a
> brief explanation why they are a good-faith and experienced security
> developer in the meta-community. Code-modification-style voting takes pla=
ce.
> A moderator adds the new member. In the event of mishap, list members may=
 be
> removed using the same process).
>
> * =C2=A0Agreeing who the moderators should be by list-member consensus
>
> I'm sure this needs fleshing out by someone more process oriented, but I
> suggest this outline represents a workable compromise.
>
> Regards
>
> S.
>
>