On Wed, Oct 12, 2011 at 9:04 AM, Shane Curcuru <a...@shanecurcuru.org> wrote: > On 10/12/2011 8:51 AM, Rob Weir wrote: >> >> On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler >> <rgard...@opendirective.com> wrote: >>> >>> Before I sign off I'd like to see the report address external >>> communications explicitly. >>> >>> The project has a real problem right now with asserting itself as the >>> OpenOffice.org project and defining how it will interact with >>> downstream projects. Is the community going to take ownership of this? >>> >>> It would be nice to see a statement from the PPMC making it explicit >>> what they wish to tackle and, where possible, how. For example, after >>> a flurry of discussion about improved security reporting processes and >>> collaboration opportunities is the PPMC going to deliver or will this >>> just die down and go away? >>> >> >> In that other long thread -- and it is understandable if you missed >> this -- I said: >> >> "I think it would be good if the PPMC wanted to express to the >> ooo-security members that they want us to make security collaboration >> with TDF/LO a priority and to make every effort to share all >> appropriate information with TDF/LO. I'd support that. This could be >> solemnized by having a few Apache members, maybe mentors, affirm that >> they will make an effort to monitor that ooo-security list and to >> escalate to the AOOo PPMC is there is any backsliding on this." > > I'm not sure what you're actually asking here. "ooo-security members" > should be the people the PPMC appoints/approves there (and potentially > anyone that the central Apache security@ team appoints), so it seems like > you're talking about yourselves there. Who else is there between the > ooo-security@ list and the PPMC? >
Currently, there is no one one between ooo-security and the PPMC. And I am perfectly fine with that. But Ross's question was about external relations, not the relationship between the PPMC and ooo-security. > Yes, I agree that efforts should be made to responsibly share security > issues with technically related projects. This should be a default; while > it's certainly good to bring it up, if there was anyone here who wasn't > clear on the idea that Apache projects *must* take security seriously, > then... well, then they should change their expectations. > That wasn't my point. I don't think it was Ross's either. > Security in Apache products - and properly handling reports and > *responsibly* disclosing issues - is a mandatory feature. If the PPMC does > have specific questions on best Apache practices, then security@ is the > place to go. > Yes, but not the point. >> So I'm proposing that a couple Apache members step up to the plate on >> this as well. What do you say? > > The point of incubation is to show a healthy community that manages itself. > So I'm looking to the PPMC to be handling this yourselves. That said, > trying to attract new contributors - especially ones who are familiar with > the Apache Way - is always a good idea. > Maybe someone else can explain this better, since I'm obviously failing to get my point across here. If no one else cares, then that's fine too. > I certainly plan to review the ooo-security@ list periodically to see how > it's operating, as a mentor, but currently that's to prove to myself that > the project's members are acting responsibly, not necessarily to do the > project's work for it. > > - Shane > > >> >> -Rob >> >> >>> NOTE I'm not asking for a full strategy in the report, just a >>> statement indicating whether or not the PPMC feels that it owns these >>> issues. If it doesn't want to own them then who does? >>> >>> Ross >>> >>> On 7 October 2011 15:33, Shane Curcuru<a...@shanecurcuru.org> wrote: >>>> >>>> Tip: the board always appreciates well written reports that follow these >>>> reporting guidelines: >>>> >>>> http://www.apache.org/foundation/board/reporting >>>> >>>> - Shane >>>> >>>> On 10/5/2011 8:05 PM, Alexandro Colorado wrote: >>>>> >>>>> Added some items for the October report for OOo. Feel free to chip in. >>>>> >>>>> >>>>> http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10 >>>>> >>>> >>> >>> >>> >>> -- >>> Ross Gardler (@rgardler) >>> Programme Leader (Open Development) >>> OpenDirective http://opendirective.com >>> >
