incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Meeks <michael.me...@suse.com>
Subject Re: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 12:44:31 GMT
Hi Rob,

On Mon, 2012-03-19 at 08:11 -0400, Rob Weir wrote:
> We've discussed this all before, but to reiterate, the previous list
> was a security list for a single open source project. It was hosted by
> that open source project. I'm not seeing in what sense that was
> neutral.

	It was project-neutral, it included LibreOffice and Apache OpenOffice,
and Symphony developers and distributors.

> >        a) will the composition of this list remain the same, or
> >           will it change to exclude non Apache-committers ? or is
> >           this cross-project list simply gone ?
>
> The list subscribers consists of a subset of AOO committers as well
> the Apache Security Team.   As with all private lists, any Apache
> Member is also able to subscribe or view the list archives.

	So  I'll take that as: the previous project-neutral list being killed,
and being replaced with an Apache OpenOffice specific list. That is
indeed an unfortunate development worth noticing.

> I>        b) in the light of a) will Apache OpenOffice be recommending
> >           reports be made exclusively to this address ?
>
> You can see our security guidelines here:
>    http://incubator.apache.org/openofficeorg/security.html

	And you can contrast with ours here:

	http://www.libreoffice.org/advisories/

	"The security teams for products associated with the code-base
	 can be contacted at officesecurity@lists.freedesktop.org, this
	 includes representatives of many vendors, and associated
	 projects."

> Note: this has been our policy for several months, and in that time
> we've been open with LO on sharing reports, analysis and even patches.

	That is interesting. I had imagined that you would continue to direct
security bugs to the cross-project list, given your enthusiasm for that
being -the- list to send reports to. I must admit I'm disappointed.

>  So this has been working.  The practical difficulty is that at least
> one LO developer refuses to share their security patches with Apache
> under the ALv2.  So our primary challenge has not been communications.

	Wow - my perception is the converse of that, let me invert your
statement:

	One Apache OpenOffice developer refuses to share their security patches
with LibreOffice under the MPL/LGPLv3+. While the AL2 license is in
theory compatible, this is a real issue due to compliance and header
requirements. Combine an LGPLv3-only work with a header-less AL2 patch,
and what does the header look like ? :-) That's an expensive question to
answer satisfactorily - and one that would be substantially eased by
more flexibility. So - this cuts both ways.

	On the other hand, it's a total red-herring wrt. transparent,
simultaneous disclosure to both projects on a shared list, these are
orthogonal issues; it is at least better to have one without the other.

> >        To re-iterate the status quo from the LibreOffice side: we recommend
> > that issues are directed to a joint mailing list:
> > officesecurity@lists.freedesktop.org that is vendor neutral,
> > cross-project, administered by both sides, neutrally hosted etc. That
> > helps avoid further, baseless accusations of information hiding, not
> > sharing etc. This was built on a foundation of reciprocal treatment.
>
> We have in the past and will in the future continue to share
> appropriate information with LO and other concerned parties.

	It is highly regrettable that you are not willing and/or able to
reciprocate in sharing all your incoming vulnerability reports in this
way, as we have done. Is this something that the Apache OpenOffice
project has decided to do, or is this your decision ?

> Your freedesktop list is one way to share information more broadly,
> when needed. In fact we've used it for that purpose recently, yes?

	We have a private security mailing list that should suffice for this
purpose. Indeed - having a project-neutral, vendor neutral, neutrally
administered list elsewhere is more work.

> Is the above clear?  If not, please ask questions.

	* Do you commit to -immediately- forward any externally reported
	  security vulnerabilities vs. OO.o to the LibreOffice project ?

	* If so - why not do this by advertising a cross-project
	  shared security list, following our example ?

	* If not, why not ? & who does the forwarding & when ?

	All the best,

		Michael.

-- 
michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot


Mime
View raw message