incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
Date Tue, 13 Dec 2011 00:07:40 GMT
I meant an inter-project list, not an intra-project list.  

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Monday, December 12, 2011 14:05
To: ooo-dev@incubator.apache.org
Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> I don't have any doubts about Apache-wide handling of CVEs, and guidance to security
teams within Apache projects is complete and comprehensive.
>
> I was thinking more about an OpenOffice-ecosystem public discuss list where the various
security teams for OPenOffice.org code-based products can work out mutual agreements on security
issues and the CVEs that impact common features. It should be separate from the private, sensitive
lists that are only for reports of security issues.
>

If it is not private, then how about here on ooo-dev?

Although one could imagine a set of additional list for every dev
specialization in the project, I'm not sure we really need a separate
public list for security.   But once you get started, it is hard to
stop: security, then qa, localization, performance, accessibility, UI,
doc, help, install, etc..  Creating lists and putting boxes around
things is very clean and logical.  I assume that is how OOo ended up
with 300+ of them.

>  - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Monday, December 12, 2011 11:27
> To: Dennis E. Hamilton
> Cc: ooo-dev@incubator.apache.org
> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
>
> Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
>> PS: It might be nice to have a single public place to discuss just
>> these practices across the family without deflecting the reporting
>> lists from their focused purpose with regard to receiving and
>> assessing vulnerability and exploit reports.  Although I think one
>> would be useful to have, there does not seem to be much interest on
>> the part of the various security teams.
>>
>
> If you want to have an Apache-wide discussion about how to handle CVE's
> I'm sure there's an existing list appropriate for that.
> [ ... ]
>


Mime
View raw message