openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: New license for libwpd, libwps, libwpg
Date Sun, 21 Apr 2013 14:35:49 GMT
On Sun, Apr 21, 2013 at 9:25 AM, janI <jani@apache.org> wrote:

> On Apr 21, 2013 2:15 PM, "Rob Weir" <robweir@apache.org> wrote:
> >
> > On Sun, Apr 21, 2013 at 4:58 AM, Andrea Pescetti <pescetti@apache.org
> >wrote:
> >
> > > As you can see in
> > > http://sourceforge.net/**projects/libwpd/files/libwpd/**libwpd-0.9.7/<
> http://sourceforge.net/projects/libwpd/files/libwpd/libwpd-0.9.7/>
> > > http://sourceforge.net/**projects/libwps/files/libwps/**libwps-0.2.8/<
> http://sourceforge.net/projects/libwps/files/libwps/libwps-0.2.8/>
> > > http://sourceforge.net/**projects/libwpg/files/libwpg/**libwpg-0.2.2/<
> http://sourceforge.net/projects/libwpg/files/libwpg/libwpg-0.2.2/>
> > >
> > > the three libraries that OpenOffice was using to import WordPerfect, MS
> > > Works and WordPerfect Graphics files have now been dual-licensed; one
> of
> > > the licenses is MPLv2.
> > >
> > > Does this mean that we can include them back in OpenOffice if we wish
> to
> > > do so? If I recalled correctly, they were removed as of 3.4.0 due to
> > > incompatible licensing. Any reasons for/against including them now?
> > >
> > >
> > If we do we'll need to be careful that we don't reintroduce this issue:
> >
> > http://www.openoffice.org/security/cves/CVE-2012-2149.html
> >
> > Security team has the details.
>
> I have heard several times, that we have a security team, but apart from a
> couple of very old mail threads they seem to be invisible. As I deal with
> security issues at least once a week it would be nice to have the members
> on a public list. I apologize in advance if the list exist and I just
> missed it.
>
>

Due to the nature of their work the security team works on a private list.
There is an ASF security team, info here:

http://www.apache.org/security/

They then coordinate with project-specific security teams.  Some projects
just use their private PMC lists for this work.  Some (like AOO) have a
dedicated private list, self-selected from the PMC.  Our page is here:

http://openoffice.apache.org/security.html

Note:  these security lists are generally for reviewing and resolving
reported vulnerabilities in our software and preparing CVE reports.
Typically a security researcher will find a vulnerability, report to it the
vendor, and give the vendor an opportunity to fix the problem before they
go public.  This is a practice called "responsible disclosure".  On the AOO
security list we don't discuss issues related to our servers.  If we did
get such a report we'd go directly to infrastructure-private@.

Hopefully that clears up what the security team does.   Maybe for what
you're looking for a public admin@openoffice.apache.org list would be good?

Regards,

-Rob

It would also be nice to know the charter of the team, does it include
> download, wiki etc.
>
> rgds
> jan I
> >
> > -Rob
> >
> >
> >
> > > Regards,
> > >   Andrea.
> > >
> > >
> ------------------------------**------------------------------**---------
> > > To unsubscribe, e-mail: dev-unsubscribe@openoffice.**apache.org<
> dev-unsubscribe@openoffice.apache.org>
> > > For additional commands, e-mail: dev-help@openoffice.apache.org
> > >
> > >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message