I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation.
The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that accompanied it. I assume that ooo-security acquitted itself well in that regard as well as with the coordination with other parties, including ones external to Apache, having common concerns. The breakdown was in all of the non-security considerations and assumptions, even though they needed to be developed in confidence. The PPMC would have provided a proper arena for working that out. The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination and form of patch releases/updates. Those with valuable perspective on the deployment strategy and its support might have no sense of the technical work that ooo-security members undertake. There was nothing about this particular vulnerability that made it dangerous for the PPMC to know about it and the approach being taken to release an ASF-appropriate patch. The exploit is by crafting an ODF 1.2 document and all unpatched OO.o 3.x (and LibreOffice 3.x) installations remain vulnerable. I think it is safe to presume that there are, at this moment, significantly more unpatched installations than patched ones and I see that as a greater concern, if there is any, than consultation and review by the PPMC before the public advisory and patch release. A significant number of people external to the PPMC, including non-experts and those who may see themselves as competitors, knew about this prior to the announcement and there does not appear to have been any damage. - Dennis PS: I followed the public back-and-forth about the operation of security lists and venues for security coordination that Dave Fisher feels embarrassed about. I don't think it matters. Whether there was a way for the Apache OpenOffice project to issue repairs to OpenOffice.org distributions, or not, did not seem to be a significant feature of the dispute as I followed it. Indeed, knowledge of the possibility of an ASF patch was not a fact that could be used as a counter-point. Announcement of the particular vulnerability that was going to be dealt with by ASF in that manner was still under embargo. It remains a valid point that those who can't wait for a stable Apache OpenOffice release to satisfy their security concerns, especially on Linux where there is still no Apache patch, might want to look to other distributions whose current releases have that and other vulnerabilities repaired. It all depends. -----Original Message----- From: ant elder [mailto:ant.el...@gmail.com] Sent: Thursday, April 12, 2012 02:04 To: general@incubator.apache.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir) On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler <rgard...@opendirective.com> wrote: > On 12 April 2012 09:27, Ross Gardler <rgard...@opendirective.com> wrote: >> On 12 April 2012 08:59, ant elder <ant.el...@gmail.com> wrote: >>> On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler >>> <rgard...@opendirective.com> wrote: >>>> On 12 April 2012 07:48, Dave Fisher <dave2w...@comcast.net> wrote: [ ... ] >>>>> Sorry, I can't remain mute, but I offended anyone, sorry, but this was >>>>> wrongly done. I don't know a better way.... [ ... ] >>> Surely at the ASF the line is at PMC membership. If only a subset of >>> the PPMC is trusted enough to be part of some inner circle then the >>> PPMC should be disbanded and reformed from just that inner circle. >> >> This is a podling with a very unusual history. it is not as simple as >> that. However, your general observation is a valid one. The time for >> addressing this is during incubation when it becomes possible to >> determine who is contributing positively to the running of the PPMC. > > I should also point out that the perception that information was kept > to a limited group implies mistrust of PPMC members is *false*. The > PPMC have an appointed security team just as many top level PMCs do > that team is tasked with handling security issues and it did so in > this case. > > As has been noted, this was *not* an ASF release, only one > *facilitated* by the ASF in the interests of supporting legacy users > of a project that has come to incubation. It is a very unusual > situation to which normal ASF policy does not apply. Handling it > outside normal ASF processes does not imply a problem with those > processes or the PPMC. > > Ross > Ross, I'm not trying to stick an oar in or anything and i don't know the details of what was done other than whats in this thread here, it just seems odd to me and it seems like there is some acknowledgement that this wasn't done perfectly so we the Incubator PMC should understand what happened. Sure there are other security teams but AFAIK they operate in conjunction with PMCs and keep PMCs in the loop that something is going on just withholding precise details of the vulnerability. ...ant --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
