incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Meeks <michael.me...@suse.com>
Subject Re: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 18:13:08 GMT
Hi there,

On Mon, 2012-03-19 at 15:38 +0100, J├╝rgen Schmidt wrote:
> Michael, I really don't like to blame anybody here. You should know the 
> truth and how the real story was. The patch was under ALv2 as our 
> complete source code is now, at the least the code granted by Oracle.

	Jurgen - this is simply not a blame game; the fact is that neither side
produced patches in a form that the other side could reasonably use :-)
We got this "... one LO developer refuses ..." stuff from Rob, the
reality is that it doesn't work well in either direction.

> So please stop to pervert the reality. We are open for any kind of 
> collaboration here and we will share the information we have.

	I dislike perverted realities as much as you do - but your statement
doesn't match what Rob suggests - that you will not share the
information you have in a timely way, but ask if submitters want to
share / re-submit elsewhere - which is rather different.

> It is another attempt to show that we don't want to 
> collaborate but it is again not true and we are very open.

	Sigh - the motivation is not to show anything, it is to discover what
the real situation is - and adapt to it.

> And the moment we have enough to do with our AOO project and don't take 
> care about other projects. But we are open for any kind of serious 
> collaboration at a time where we have time for it.

	Well, it's encouraging. My concern is to clearly understand what your
project is doing - and then, separately to think about how best to react
to that.

	And then Rob's mail:

On Mon, 2012-03-19 at 09:02 -0400, Rob Weir wrote:
> On Mon, Mar 19, 2012 at 8:44 AM, Michael Meeks <michael.meeks@suse.com> wrote:
> >        * Do you commit to -immediately- forward any externally reported
> >          security vulnerabilities vs. OO.o to the LibreOffice project ?
>
> We (AOO Security Team) would contact the reporter of the issue to
> determine their wishes. We would advise them if other products might
> also be impacted.  We would direct them to security contacts for the
> other products, or offer to share their report with those projects,
> as-is or in anonymized form.

	Interesting. Reading your statement, it seems you commit to a
significant round-trip delay, and potential non-forwarding of relevant
security issues depending on the reporter's input.

> Some security reporters appreciate and trust sending sensitive reports
> to an Apache address, where they have ongoing relations and
> experience.  Some prefer this than sending to a list of unknown
> composition and trustworthiness.

	This could be read as casting a negative light on our competence and
trustworthiness which is an unappreciated slant.

	It is at least clear however, and I am disappointed. We, LibreOffice
tried to reach out and ensure the highest standards of sharing
disclosures at source; if only in part to rebutt Rob's previous
ill-informed and inaccurate FUD in this area. We setup a neutrally
administered mailing list, and thus forced our submitters to
automatically send their reports to both projects.

	It seems this collaborative method is not your preferred approach,
which is sad.

	There are lots of other possible approaches that don't require a shared
mailing list - such as recommending multiple submitting to each other's
security lists on vulnerability submission pages that might work. To
make that a collaborative experience it has the downside of needing to
maintain CC's - something that has been broken in ~every other reply
made to this thread, sadly.

	Constructive suggestions appreciated.

	Regards,

		Michael.

-- 
michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot


Mime
View raw message