On Thu, Oct 6, 2011 at 5:07 PM, Shane Curcuru <a...@shanecurcuru.org> wrote:
> Wow, has this thread not gone anywhere, nor been as polite as I'd hope. > > ---- > > Fundamentally, the ASF has delegated responsibility for all future Apache > OpenOffice releases to the Apache OpenOffice PPMC. I believe and support > them having a private security@ list that only PPMC members are allowed to > subscribe to, to accept reports of vulnerabilities and to make plans to > address them in ASF releases. > > The issue is, what to do with security issues raised about *previous* > releases of OpenOffice.org software - something that normally we'd all look > to Oracle and the previous Security Team of OpenOffice.org to fix, but in > this case, we need to at least attempt to address them ourselves (hopefully, > jointly). > > I think we've completely lost sight of "B", a place where Apache OpenOffice > PPMC members and trusted others of related projects can work together. > Given the interrelationships of code between OpenOffice and LibreOffice and > others, I would definitely vote to use or host an > officesecurity@somedomainprivate list where *any* existing members of an OOo > related security team > would all be allowed to subscribe and work on issues in conjunction. > > Personally, I'd suggest using the existing securityt...@openoffice.org for > this purpose of "B", because it's already well known, and uses the > openoffice.org domain (which will be hosted by the ASF in the future). The > Apache-specific list would be the existing ooo-security@incubator.apache.* > *org <ooo-secur...@incubator.apache.org> list, which would be open only to > ASF committers that the Apache OpenOffice PPMC approves. > > But that's just my (non-binding) vote. But I'd definitely like to see more > organized cooperation here in terms of capturing and sharing basic > information about security fixes. > > thanks Shane, that is more or less what i had in mind too. But it seems that I wasn't able to describe it clearly enough. Juergen > And in terms of IP, I would hope that any participants in the (future) > joint securityteam@oo.o list would agree explicitly to mail only > AL-licensed code to that list, ensuring that the Apache OpenOffice podling > could use it in a release. > > - Shane > > > On 10/6/2011 10:38 AM, Florian Effenberger wrote: > >> Hi, >> >> Jürgen Schmidt wrote on 2011-10-06 14:40: >> >>> My idea is to simply use the existing >>> securityt...@openoffice.org >>> <knownsecurityteam@openoffice.**org<knownsecurityt...@openoffice.org>> >>> list for >>> collaborative work on this topic. LibreOffice has also a separate >>> security >>> list, right. So i don't see your point here. >>> >> >> I proposed that, Rob Weir refused to continue with the existing >> contacts, telling things at Apache were different. >> >> Ping me when you folks have sorted out your issues. >> >> Florian >> >>
