incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 12:11:15 GMT
On Mon, Mar 19, 2012 at 7:49 AM, Michael Meeks <michael.meeks@suse.com> wrote:
> Hi guys,
>
>        The appended mail was sent to the old multi-vendor security list at
> openoffice.org recipients. That seems reasonable - the infrastructure is
> coming to an end.
>
>        As previously discussed ( to death ;-) [ and I have no particular
> desire to re-opening and re-hash the issue ] this
> securityteam@openoffice.org list -used- to be the multi-vendor, neutral
> place for reporting security vulnerabilities in openoffice.org and then
> Apache OpenOffice.
>

We've discussed this all before, but to reiterate, the previous list
was a security list for a single open source project. It was hosted by
that open source project. I'm not seeing in what sense that was
neutral.


>        With it's move to Apache hosting, I have a few questions:
>
>        a) will the composition of this list remain the same, or
>           will it change to exclude non Apache-committers ? or is
>           this cross-project list simply gone ?
>

The list subscribers consists of a subset of AOO committers as well
the Apache Security Team.   As with all private lists, any Apache
Member is also able to subscribe or view the list archives.

I>        b) in the light of a) will Apache OpenOffice be recommending
>           reports be made exclusively to this address ?
>

You can see our security guidelines here:

http://incubator.apache.org/openofficeorg/security.html

Note: this has been our policy for several months, and in that time
we've been open with LO on sharing reports, analysis and even patches.
 So this has been working.  The practical difficulty is that at least
one LO developer refuses to share their security patches with Apache
under the ALv2.  So our primary challenge has not been communications.

>        To re-iterate the status quo from the LibreOffice side: we recommend
> that issues are directed to a joint mailing list:
> officesecurity@lists.freedesktop.org that is vendor neutral,
> cross-project, administered by both sides, neutrally hosted etc. That
> helps avoid further, baseless accusations of information hiding, not
> sharing etc. This was built on a foundation of reciprocal treatment.
>

We have in the past and will in the future continue to share
appropriate information with LO and other concerned parties.   Your
freedesktop list is one way to share information more broadly,  when
needed. In fact we've used it for that purpose recently, yes?

>        Naturally, we maintain a private, internal security list for
> LibreOffice developers to discuss fixes on in addition to that, and have
> no issue with Apache OpenOffice doing likewise of course. It would be
> good to know what the plan is from your side though.
>

Is the above clear?  If not, please ask questions.

-Rob

>        Thanks,
>
>                Michael.
>
> [snip]
> Subject: [securityteam] Shutdown of the securityteam@openoffice.org mailing
> Date: Mon, 12 Mar 2012 16:16:48 -0400
>
> The securityteam@openoffice.org mailing list will cease operation on
> or after March 15th, 2012.   This list, as well as numerous other
> legacy mailing lists, were kindly hosted by Oracle during the
> transition of OpenOffice to Apache.  Now that this infrastructure
> transition is complete, the legacy lists will be retired.
>
> The new address for reporting vulnerabilities to the Apache OpenOffice
> project is :  ooo-security@incubator.apache.org
>
> Instructions for submitting reports to the project can be found at
> http://security.openoffice.org
>
> If you wish to be on a notification list for public announcements of
> vulnerabilities and patches, you are invited to subscribe to our
> announcement list by sending an email to
> ooo-announce-subscribe@incubator.apache.org.  We also publish
> disclosures to full-disclosure@lists.grok.org.uk and
> bugtraq@securityfocus.com.
>
> Regards,
>
> -Rob Weir, Apache OpenOffice Security Team
>
> --
> michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot
>
>
> ---------- Forwarded message ----------
> From: Rob Weir <robweir@apache.org>
> To: securityteam@openoffice.org
> Cc: ooo-security@incubator.apache.org
> Date: Mon, 12 Mar 2012 16:16:48 -0400
> Subject: [securityteam] Shutdown of the securityteam@openoffice.org mailing
> The securityteam@openoffice.org mailing list will cease operation on
> or after March 15th, 2012.   This list, as well as numerous other
> legacy mailing lists, were kindly hosted by Oracle during the
> transition of OpenOffice to Apache.  Now that this infrastructure
> transition is complete, the legacy lists will be retired.
>
> The new address for reporting vulnerabilities to the Apache OpenOffice
> project is :  ooo-security@incubator.apache.org
>
> Instructions for submitting reports to the project can be found at
> http://security.openoffice.org
>
> If you wish to be on a notification list for public announcements of
> vulnerabilities and patches, you are invited to subscribe to our
> announcement list by sending an email to
> ooo-announce-subscribe@incubator.apache.org.  We also publish
> disclosures to full-disclosure@lists.grok.org.uk and
> bugtraq@securityfocus.com.
>
> Regards,
>
> -Rob Weir, Apache OpenOffice Security Team
> --
> -----------------------------------------------------------------
> To unsubscribe send email to securityteam-unsubscribe@openoffice.org
> For additional commands send email to sympa@openoffice.org
> with Subject: help
>

Mime
View raw message