www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Weir (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-4216) Need private SVN space for OpenOffice security team
Date Wed, 21 Dec 2011 14:11:30 GMT

    [ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13174112#comment-13174112
] 

Rob Weir commented on INFRA-4216:
---------------------------------

Mark asked "Why is a separate svn tree required. Many projects (for example httpd and Tomcat)
manage security vulnerabilities without requiring a separate svn tree."

Since I'm not a member of those security teams, so I don't know how they handle things.  Perhaps
a unique circumstance of AOO is that as we continue to receive and process reports against
the legacy pre-Apache release.  We need some way to track those and apply fixes to the first
Apache release, currently estimated for Q1 2012.  Since ooo-security is a private list with
no archives viewable to our participants, since we're not Apache members, this gives list
members no access to persistent storage of any kind to record status of issues, reports and
patches received, etc. 

With a much narrower period of time between releases, this would be far less of an issue.
 But we're starting from a point where the first release of AOO will be a year after the last
release of the legacy OpenOffice.  This gives us too many reports, too many patches, too many
reporters to follow up with, etc.  to trust entirely to mere memory.

Does that make sense?

SVN seems like the most natural solution.  But a private ftp directory or a private wiki would
work just as well.
                
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
>                 Key: INFRA-4216
>                 URL: https://issues.apache.org/jira/browse/INFRA-4216
>             Project: Infrastructure
>          Issue Type: Task
>      Security Level: public(Regular issues) 
>          Components: Subversion
>            Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work.   The tree
should be private, writable only for those on the ooo-security@i.a.o mailing list and the
Apache Security team and invisible (not just read-only) to everyone else.  Commit notifications
should go to only ooo-security.i.a.o.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message