Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <08BB3197-24B0-4066-9DBB-67C1B7DB18A9@comcast.net>
References: 
 <CAP-ksogqMmkJvHGqeVrpQgAXo3Dsz6P=s51pjjBc-AYrf=qcJg@mail.gmail.com>
	<08BB3197-24B0-4066-9DBB-67C1B7DB18A9@comcast.net>
Date: Tue, 25 Oct 2011 13:37:01 -0400
Message-ID: 
 <CAP-ksohzvb-mbDoL7Ar8E0Q-EncJsNF=xp2QVMyk_yMDrm3M_g@mail.gmail.com>
Subject: Re: [Proposal] Security coordination without a shared list
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 25, 2011 at 1:29 PM, Dave Fisher <dave2wave@comcast.net> wrote:
> Rob,
>
> I'd like to actually try to work out the shared list situation with a sin=
cere spirit of mutual understanding, listening and co-operation.
>
> On Oct 25, 2011, at 9:08 AM, Rob Weir wrote:
>
>> There is an easy way to avoid all the trust issues with regards to
>> shared mailing lists. =C2=A0Don't have such a list. =C2=A0Trust individu=
als.
>> This proposal takes this approach.
>>
>> 1) The AOOo PMC solicits the names of security contacts from related
>> projects who wish to be consulted related to pre-disclosure
>> coordination related to analysis and resolution of reported security
>> vulnerabilities. =C2=A0Names of individuals are preferred over opaque
>> mailing lists. =C2=A0Trust can be established based on a PGP/GPG web of
>> trust. =C2=A0These names and addresses are stored confidentially in the
>> PPMC's private SVN directory.
>
> Do you have software that actually exists that does this? Who is going to=
 build this?
>

Yes.  It doesn't require anything special beyond GPG and an email client.

>>
>> 2) The AOOo security team reaches out to these contacts, as
>> appropriate,v ia their preferred contact mechanism, =C2=A0to coordinate =
on
>> specific vulnerabilities. =C2=A0We (Apache) would cc ooo-security on our
>> external emails, as required by Apache policy [1].
>
> Replies would not necessarily be cc'd to ooo-security and that would be a=
 problem.
>

With a mailing list you also have the problem that sometimes someone
responds to the individual rather than to the list.  We're all
familiar with that risk and know how to watch out for it.

As I understand this is also the approach that other Apache projects
use.  You don't see other projects set up additional off-site
"neutral" mailing lits for this purpose.  Please correct me if you
know of other examples at Apache.  But projects do reach out for
pre-disclosure.  So this is an approach Apache does have some
experience with.

>>
>> 3) Other groups would be encouraged to reach out to AOOo in similar
>> circumstances via our preferred contact mechanism, ooo-security.
>>
>> 4) This fully allows targeted collaboration on specific issues, via
>> each project's preferred contact mechanism, =C2=A0without requiring the
>> maintenance of an additional email list.
>>
>> 5) =C2=A0If we want to discuss security in general, then that can/should
>> happen on public dev lists. =C2=A0 =C2=A0That public discussion could oc=
cur
>> anywhere.
>>
>>
>> [1]: http://www.apache.org/security/committers.html
>
> Time to be productive today.
>
> Regards,
> Dave
>
>
>
>