www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Thomas (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-4216) Need private SVN space for OpenOffice security team
Date Wed, 21 Dec 2011 09:29:30 GMT

    [ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173969#comment-13173969

Mark Thomas commented on INFRA-4216:

<hat role="security">
Yes it is. The security team is responsible for ensuring that projects are handling security
reports appropriately and where they are not, highlighting that to the board. The security
team's concern is not the size of the OOo PPMC but the low barrier to entry that was used
to establish the membership: add your name and e-mail address to a wiki page.

The ASF receives security reports in confidence and there is an expectation that we keep those
reports private. Normally, if we get this wrong only the project concerned is damaged. However,
OOo is different. There is a ecosystem of related projects where a security vulnerability
in one is likely to affect all. Therefore, we need to be particularly careful to keep any
vulnerability information confidential as it wouldn't just be ourselves we were harming if
we leaked the information, but all the projects in the ecosystem.

Access to OOo security vulnerabilities needs to be limited to trusted individuals. Adding
your name and e-mail to a wiki page is not sufficient to establish the trust necessary to
have access to the OOo security vulnerability reports.

If the current OOo security team is confident that they have the necessary level of trust
in every single PPMC member then there is no problem in using the private PPMC repo. I would
expect this point to be reached at some point as members of the PPMC demonstrate their trustworthiness
or, in the odd case, inactive folks are removed from the PPMC.

<hat role="infra">
Why is a separate svn tree required. Many projects (for example httpd and Tomcat) manage security
vulnerabilities without requiring a separate svn tree.

A question for joes4. If separate authorisation is required, I assume we could limit a sub-tree
of the OOo PPMC private repo to the OOo security team. Whether we would want the admin overhead
of doing so is a separate issue.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>                 Key: INFRA-4216
>                 URL: https://issues.apache.org/jira/browse/INFRA-4216
>             Project: Infrastructure
>          Issue Type: Task
>      Security Level: public(Regular issues) 
>          Components: Subversion
>            Reporter: Rob Weir
> We need an SVN subtree that the OpenOffice security team can use in its work.   The tree
should be private, writable only for those on the ooo-security@i.a.o mailing list and the
Apache Security team and invisible (not just read-only) to everyone else.  Commit notifications
should go to only ooo-security.i.a.o.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message