incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Proposal: ooo-announce list
Date Mon, 12 Dec 2011 00:00:15 GMT
I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is
rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent
of list subscription.  

A detail:

I don't believe there is any exception to the PPMC having the decisions and accountability
about security fixes and announcements.  

I recall Rob Weir arguing that very strongly on this list as part of objection to creation
of ooo-security in the first place, something that was finally done because security@ made
it clear there was no way security reports would be forwarded to the podling until there was
such an ooo-security list and team behind it.

The security team should be invisible but for the sensitive work with reporters and analysis
of reported vulnerabilities and exploits.  Ultimately, the PPMC has to determine the way forward,
if ooo-security confirms vulnerabilities and exploits.  Public reports should come from the
project and be reviewed and authorized by the PPMC.

 - Dennis

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Sunday, December 11, 2011 11:08
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

[ ... ]

Note:  this would be the exception to the rule that announcements are
pre-discussed by the PPMC.  I'd expect that such announcements would
come directly from the security team.  So we would need to have one of
the moderators for the announce list be from that team.

[ ... ]


Mime
View raw message