On Apr 12, 2012, at 2:20 PM, Rob Weir wrote: > On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher <dave2w...@comcast.net> wrote: >> >> On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: >> >>> Yes, this was already raised on the PPMC (on March 22) as you know. It >>> seems to me that the PPMC is not concerned. >>> >>> It is interesting that it is thought, here, that the remedy is to add more >>> ooo-security subscribers from the PPMC. That had not come up before. >> >> Well I did raise it on ooo-private. My suggestion was to add someone who >> understood Linux distributions to ooo-security ASAP. I got blowback. This >> was unfortunate. Since then we've had discussions about culture, politeness >> and apologies. There was some discussion about OpenOffice and Linux distro >> on ooo-dev, but more in context of the AOO release plans. >> >> My frustration about not being informed was that no one gave even the >> slightest notice OFFLIST that there was a reason that certain people were >> asking the project questions and that things were not as I thought and I >> should move on and let the world revolve. This is particularly true since I >> responding with what I had every reason to believe was the project policy. >> >> Emotions pass. What's the root cause? It's a communication problem, why was >> communication blocked? >> >> If there are individuals on a PPMC that the podling security team and >> Mentors feel are not trustworthy enough that it is decided to forgo the >> minimal courtesy of keeping the PPMC informed to manage the process as >> Dennis described then perhaps the problem is with the PPMC membership itself. >> >> Normally a podling will set the PMC as part the graduation resolution. >> Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? >> > > So step back, to when the podling received notice of our first > security report. The Apache Security Team would not give it to the > PPMC, not even on ooo-private. The issue was not the size of the PPMC > per se, or even its status as a podling. The issue was the way in > which the "initial committers" were selected, that anyone could just > walk in "off the street" in essence, put their name down and be an > instant PPMC number. Needless to say, a group of nearly 100 initial > committers formed that way is not the best way to have a secure > discussion. > > So the request, at that time, was to make a smaller list --- > ooo-security -- and to share such sensitive information only on that > list. Of course, Mentors and other Apache Members can view that list, > as can Apache Security Team members. > > > I have no doubts that as a TLP the AOO PMC will shed 30%+ of the > current membership. That would take care of the names of people who > signed up, returned the ICLA but then have not been heard of since. I > think we can reach the point where matters of some sensitivity can be > shared more broadly on ooo-private. > > But you also need to understand that this is not only about trust. It > is about security. If if I personally trusted you like a brother, and > trusted every PPMC member like a brother (or sister) it would not make > sense to share all security information with a list of 90 trusted > siblings.. Why? Because of human error. Because of stolen iPhones. > Because of accidentally forwarded emails. Because of accidentally > typed recipients. Because of 4am's and because shit happens. It > will never make sense to share such sensitive information more broadly > than needed to deal with the actual security issue. This is not about > trust. It is about compartmentalization, In other words, the > security list is about security.
I do understand that security is special. You miss my point. I'm not talking about the actual security issue detail. Just that a security announcement, release, whatever is about to happen. As a PPMC member I should be able to ask questions in advance about how it is being handled. If nothing to help make sure that there is some form of oversight. I am also talking about more subtly informing someone without disclosing any real information. As you said security@ did inform us that there was an issue, but not the details. Regards, Dave > > -Rob > >> Regards, >> Dave >> >> >>> >>> - Dennis >>> >>> -----Original Message----- >>> From: Ross Gardler [mailto:rgard...@opendirective.com] >>> Sent: Thursday, April 12, 2012 12:41 >>> To: general@incubator.apache.org; dennis.hamil...@acm.org >>> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] >>> Update of "April2012" by robweir) >>> >>> On 12 April 2012 17:32, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: >>>> I don't think the problem is with the size of the ooo-security list >>>> membership. I think it is in the assumption that the [P]PMC has somehow >>>> delegated the ability to make a release of any kind to the ooo-security >>>> team. I don't mean slip-streaming fixes and working off the public SVN >>>> until that happens. I mean developing and deploying all the rest of what >>>> accompanies an advisory along with provision of a mitigation. >>>> >>> >>> Whether this is the case or not should be discussed on the ooo-dev >>> lists rather than the IPMC general list. This is not an IPMC issue. >>> All IPMC members are free to join that list or read its archives if >>> they so desire. >>> >>> Ross >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: general-h...@incubator.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: general-h...@incubator.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
