incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Meeks <michael.me...@suse.com>
Subject Fwd: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 11:49:32 GMT
Hi guys,

	The appended mail was sent to the old multi-vendor security list at
openoffice.org recipients. That seems reasonable - the infrastructure is
coming to an end.

	As previously discussed ( to death ;-) [ and I have no particular
desire to re-opening and re-hash the issue ] this
securityteam@openoffice.org list -used- to be the multi-vendor, neutral
place for reporting security vulnerabilities in openoffice.org and then
Apache OpenOffice.

	With it's move to Apache hosting, I have a few questions:

	a) will the composition of this list remain the same, or
	   will it change to exclude non Apache-committers ? or is
	   this cross-project list simply gone ?

	b) in the light of a) will Apache OpenOffice be recommending
	   reports be made exclusively to this address ?

	To re-iterate the status quo from the LibreOffice side: we recommend
that issues are directed to a joint mailing list:
officesecurity@lists.freedesktop.org that is vendor neutral,
cross-project, administered by both sides, neutrally hosted etc. That
helps avoid further, baseless accusations of information hiding, not
sharing etc. This was built on a foundation of reciprocal treatment.

	Naturally, we maintain a private, internal security list for
LibreOffice developers to discuss fixes on in addition to that, and have
no issue with Apache OpenOffice doing likewise of course. It would be
good to know what the plan is from your side though.

	Thanks,

		Michael.

[snip]
Subject: [securityteam] Shutdown of the securityteam@openoffice.org mailing
Date: Mon, 12 Mar 2012 16:16:48 -0400

The securityteam@openoffice.org mailing list will cease operation on
or after March 15th, 2012.   This list, as well as numerous other
legacy mailing lists, were kindly hosted by Oracle during the
transition of OpenOffice to Apache.  Now that this infrastructure
transition is complete, the legacy lists will be retired.

The new address for reporting vulnerabilities to the Apache OpenOffice
project is :  ooo-security@incubator.apache.org

Instructions for submitting reports to the project can be found at
http://security.openoffice.org

If you wish to be on a notification list for public announcements of
vulnerabilities and patches, you are invited to subscribe to our
announcement list by sending an email to
ooo-announce-subscribe@incubator.apache.org.  We also publish
disclosures to full-disclosure@lists.grok.org.uk and
bugtraq@securityfocus.com.

Regards,

-Rob Weir, Apache OpenOffice Security Team

-- 
michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot

Mime
View raw message