incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Schmidt <jogischm...@googlemail.com>
Subject Re: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 14:38:23 GMT
On 3/19/12 1:44 PM, Michael Meeks wrote:
> Hi Rob,
>
> On Mon, 2012-03-19 at 08:11 -0400, Rob Weir wrote:
>> We've discussed this all before, but to reiterate, the previous list
>> was a security list for a single open source project. It was hosted by
>> that open source project. I'm not seeing in what sense that was
>> neutral.
>
> 	It was project-neutral, it included LibreOffice and Apache OpenOffice,
> and Symphony developers and distributors.
>
>>>         a) will the composition of this list remain the same, or
>>>            will it change to exclude non Apache-committers ? or is
>>>            this cross-project list simply gone ?
>>
>> The list subscribers consists of a subset of AOO committers as well
>> the Apache Security Team.   As with all private lists, any Apache
>> Member is also able to subscribe or view the list archives.
>
> 	So  I'll take that as: the previous project-neutral list being killed,
> and being replaced with an Apache OpenOffice specific list. That is
> indeed an unfortunate development worth noticing.
>
>> I>         b) in the light of a) will Apache OpenOffice be recommending
>>>            reports be made exclusively to this address ?
>>
>> You can see our security guidelines here:
>>     http://incubator.apache.org/openofficeorg/security.html
>
> 	And you can contrast with ours here:
>
> 	http://www.libreoffice.org/advisories/
>
> 	"The security teams for products associated with the code-base
> 	 can be contacted at officesecurity@lists.freedesktop.org, this
> 	 includes representatives of many vendors, and associated
> 	 projects."
>
>> Note: this has been our policy for several months, and in that time
>> we've been open with LO on sharing reports, analysis and even patches.
>
> 	That is interesting. I had imagined that you would continue to direct
> security bugs to the cross-project list, given your enthusiasm for that
> being -the- list to send reports to. I must admit I'm disappointed.
>
>>   So this has been working.  The practical difficulty is that at least
>> one LO developer refuses to share their security patches with Apache
>> under the ALv2.  So our primary challenge has not been communications.
>
> 	Wow - my perception is the converse of that, let me invert your
> statement:
>
> 	One Apache OpenOffice developer refuses to share their security patches
> with LibreOffice under the MPL/LGPLv3+. While the AL2 license is in
> theory compatible, this is a real issue due to compliance and header
> requirements. Combine an LGPLv3-only work with a header-less AL2 patch,
> and what does the header look like ? :-) That's an expensive question to
> answer satisfactorily - and one that would be substantially eased by
> more flexibility. So - this cuts both ways.

Michael, I really don't like to blame anybody here. You should know the 
truth and how the real story was. The patch was under ALv2 as our 
complete source code is now, at the least the code granted by Oracle.

And the patch was offered as it is. And there was another patch that was 
not shared by somebody (not from AOO) and where we have by the way found 
a better fix for.

So please stop to pervert the reality. We are open for any kind of 
collaboration here and we will share the information we have.

Sharing in a way that is adequate for security issues and as transparent 
and open as possible for this kind of issues.

Before people start blaming against Rob, think twice about it. It is a 
sensitive topic and we don't want discuss it more than necessary here on 
this list. It is another attempt to show that we don't want to 
collaborate but it is again not true and we are very open.

And the moment we have enough to do with our AOO project and don't take 
care about other projects. But we are open for any kind of serious 
collaboration at a time where we have time for it. And of course 
security issue are take serious and in time from our perspective and 
people involved in the security issues should have already noticed this.

Juergen



>
> 	On the other hand, it's a total red-herring wrt. transparent,
> simultaneous disclosure to both projects on a shared list, these are
> orthogonal issues; it is at least better to have one without the other.
>
>>>         To re-iterate the status quo from the LibreOffice side: we recommend
>>> that issues are directed to a joint mailing list:
>>> officesecurity@lists.freedesktop.org that is vendor neutral,
>>> cross-project, administered by both sides, neutrally hosted etc. That
>>> helps avoid further, baseless accusations of information hiding, not
>>> sharing etc. This was built on a foundation of reciprocal treatment.
>>
>> We have in the past and will in the future continue to share
>> appropriate information with LO and other concerned parties.
>
> 	It is highly regrettable that you are not willing and/or able to
> reciprocate in sharing all your incoming vulnerability reports in this
> way, as we have done. Is this something that the Apache OpenOffice
> project has decided to do, or is this your decision ?
>
>> Your freedesktop list is one way to share information more broadly,
>> when needed. In fact we've used it for that purpose recently, yes?
>
> 	We have a private security mailing list that should suffice for this
> purpose. Indeed - having a project-neutral, vendor neutral, neutrally
> administered list elsewhere is more work.
>
>> Is the above clear?  If not, please ask questions.
>
> 	* Do you commit to -immediately- forward any externally reported
> 	  security vulnerabilities vs. OO.o to the LibreOffice project ?
>
> 	* If so - why not do this by advertising a cross-project
> 	  shared security list, following our example ?
>
> 	* If not, why not ?&  who does the forwarding&  when ?
>
> 	All the best,
>
> 		Michael.
>


Mime
View raw message