incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Neutral / shared security list ...
Date Wed, 30 Nov 2011 12:51:15 GMT
On Wed, Nov 30, 2011 at 7:41 AM, Christian Lohmaier
<> wrote:
> Hi Rob,
> On Wed, Nov 30, 2011 at 1:13 PM, Rob Weir <> wrote:
>> On Tue, Nov 29, 2011 at 11:45 AM, Pedro Giffuni <> wrote:
>>> Hello guys;
>>> --- On Tue, 11/29/11, Dave Fisher <> wrote:
>>>> Hi Michael,
>>>> While some might have hoped for another proposal and
>>>> discussion prior to action, thank you for going ahead where
>>>> there was clearly no consensus for specific action on the
>>>> AOO side.
>>> As I see it, this list is not official. The AOO PPMC has no
>>> influence whatever over it, but that is precisely the type
>>> of "neutrality" the involved actors wanted.
>> Remember, we had a securityteam mailing list already.  LO folks were
>> subscribed to it.  We (the AOO security team) have been working
>> closely with them on reported security issues.  This included analysis
>> and sharing of patches. (Yes, Apache and LO members shared patches).
>> So among the people actually involved in the security reporting and
>> resolution process, we had a system that worked.
> You-are-kidding-me.
> The whole thing was stirred up because you (Apache-OOo) claimed you
> would not know anything about the vulnerabilities that were fixed in
> LO.
> Starting with this:
> and lots and lots of messages that did follow.
> So it was not working since there was apparently lack of communication
> on ApacheOOoI's end.

And that was fixed quite some time ago, by subscribing ooo-security to
the securityteam list.  The collaboration between AOO and LO security
experts that I was speaking about has taken place since that, even
since that initial thread.  So it was working, except in the minds of
those who refused to give it a try.

>> But this did not seem to please Michael and Simon, people who were not
>> part of this process.  To their outside and highly political view, it
>> was not neutral enough.  So they unilaterally pushed through another
>> list.
> You're making a dick of yourself.

Some decorum on the list, please, or remove yourself.

> The security-list topic has been discussed at length spanning multiple
> weeks. Stop acting so surprised about it and especially don't deny
> that the discussion took place. This is ridiculous.

No one is acting surprised or claim that there was not a discussion.

> That being said: Yes, apache-camp did disagree about the definition of
> "neutral" - TDF/LO's view is: A list carrying the trademark of one of
> the products is not neutral. No matter how nice its management is
> done. The email-address where people should report issues carries a
> clear stamp, and is therefore not neutral.
>> The status quo was working and no counter proposal had consensus.
> No - it was not working, and the same way you do argument, Michael can
> argument with "lazy consensus" that is quoted so conveniently.

Michael is not a committer on this project.  He cannot claim lazy consensus.

>> Maybe some disagree and were unhappy that their personal preferences
>> did not get universal acclamation, but *how* we decide these questions
>> is as important as *what* we decide.    This was a very poor example
>> of decision making.  In fact I would not call it community decision
>> making at all.  It was just Michael acting alone.
> That is your personal crusade against Michael Meeks/SuSE. Keep that
> stuff out of it. Seriously. You're really making a kindergarten out of
> it.

I sorry you think that way.   I really care a lot about unbiased
neutral views like yours.


> ciao
> Christian

View raw message