After initiating the OOo security team 5 years ago, and doing most of
the coordination stuff for OOo security fixes, please let me allow to
state my pov wrt ooo-security :)
ooo-security is _not_ a mailing list where all people interested in
security related stuff can discuss fancy things.
ooo-security is about confidential stuff, and must be a closed list. The
number of subscribers should be kept low.
The reasons why somebody should be allowed to be on ooo-security are:
- People responsible for handling security issues.
This includes people who communicate with the security researches who
report vulnerabilities, and people doing security analyzes and fixes.
For the fixes it might happen that they involve others, who better
know the code. So it may happen that many more people will work on
security issues than are subscribed to the list. Everybody who knows
a bigger chunk of code might need to do some security fix some time,
but that doesn't mean that all these people should be subscribed to
the list.
- People responsible for the security of related products.
People from products based on AOOo might need to do the same or
similar fixes in their product, or even might want to help fixing the
issue in the base product.
This definitively includes people from LibreOffice!
- People responsible for providing patches or updated program versions
In the OOo Security Team, we have from most Linux distros someone
from their security team, so they know about the issues and can
prepare for updates.
- People responsible for writing security bulletins
Once AOOo is a real product, we need to get CVEs for security issues
and need to write and publish security bulletins.
First we should get the right people on the list who work in the first 2
areas. As long as we don't have a product, we don't need security
bulletins. Also we only need to add security people from the distros
once they ship vanilla AOOo. When they continue shipping LibO, they only
need to be on the LibO security list.
It's not clear to me whether or not all people must be commiters for
some reason. With "people responsible for the security of related
products", I have the feeling they shouldn't need to be commiters.
From the people on the current OOo security team, there are (iirc) only
2 people beside myself who regularly worked on fixes for security
issues: Caolan McNamara and Rene Engelhard. I would like to add them to
ooo-security. They are also in the LibO security team, so adding them
should give enough LibO coverage.
Malte.
On 28.07.2011 09:18, Florian Effenberger wrote:
Hello,
Rob Weir wrote on 2011-07-28 04:08:
-1. This is the project's private security list, with only a subset
of the PPMC on it. We should not have 3rd parties signed up on it.
that would mark a negative change in the way things are handled. Since
the beginning of LibO, we have also been collaborating with the
OpenOffice.org folks on security and vice versa, and from what has been
discussed the last weeks on those private lists, I got the impression
that everyone involved wanted to keep that good spirit and cooperation,
as it has shown to be beneficial for both sides.
I second André and Drew in their opinion that this is actually one of
the areas, where cooperation is very easily possible, so IMHO, we
shouldn't waste that chance.
Florian
