It's great to see this coming together now. Thank you everyone. Ross
On 12 October 2011 16:48, Dave Fisher <dave2w...@comcast.net> wrote: > > On Oct 12, 2011, at 6:43 AM, Rob Weir wrote: > >> On Wed, Oct 12, 2011 at 9:04 AM, Shane Curcuru <a...@shanecurcuru.org> wrote: >>> On 10/12/2011 8:51 AM, Rob Weir wrote: >>>> >>>> On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler >>>> <rgard...@opendirective.com> wrote: >>>>> >>>>> Before I sign off I'd like to see the report address external >>>>> communications explicitly. >>>>> >>>>> The project has a real problem right now with asserting itself as the >>>>> OpenOffice.org project and defining how it will interact with >>>>> downstream projects. Is the community going to take ownership of this? >>>>> >>>>> It would be nice to see a statement from the PPMC making it explicit >>>>> what they wish to tackle and, where possible, how. For example, after >>>>> a flurry of discussion about improved security reporting processes and >>>>> collaboration opportunities is the PPMC going to deliver or will this >>>>> just die down and go away? >>>>> >>>> >>>> In that other long thread -- and it is understandable if you missed >>>> this -- I said: >>>> >>>> "I think it would be good if the PPMC wanted to express to the >>>> ooo-security members that they want us to make security collaboration >>>> with TDF/LO a priority and to make every effort to share all >>>> appropriate information with TDF/LO. I'd support that. This could be >>>> solemnized by having a few Apache members, maybe mentors, affirm that >>>> they will make an effort to monitor that ooo-security list and to >>>> escalate to the AOOo PPMC is there is any backsliding on this." >>> >>> I'm not sure what you're actually asking here. "ooo-security members" >>> should be the people the PPMC appoints/approves there (and potentially >>> anyone that the central Apache security@ team appoints), so it seems like >>> you're talking about yourselves there. Who else is there between the >>> ooo-security@ list and the PPMC? >>> >> >> Currently, there is no one one between ooo-security and the PPMC. And >> I am perfectly fine with that. But Ross's question was about external >> relations, not the relationship between the PPMC and ooo-security. > > I think that "we" as the AOOo PPMC will need to find one or more PPMC members > to fulfill certain external roles. > > Perhaps these roles are: > > (1) Public face of Security for AOOo. > > (2) Liaison with the TDF. > > (3) Press Liaison. > > (4) Brand Manager / Cat Herder. > > With people in these roles who are active then perhaps the rest of us can > defer immediate responses to questions in these areas when they occur on > ooo-dev. With slight formality we might be able to stop the periodic and > damaging flames of misunderstanding. > > Regards, > Dave > >> >>> Yes, I agree that efforts should be made to responsibly share security >>> issues with technically related projects. This should be a default; while >>> it's certainly good to bring it up, if there was anyone here who wasn't >>> clear on the idea that Apache projects *must* take security seriously, >>> then... well, then they should change their expectations. >>> >> >> That wasn't my point. I don't think it was Ross's either. >> >>> Security in Apache products - and properly handling reports and >>> *responsibly* disclosing issues - is a mandatory feature. If the PPMC does >>> have specific questions on best Apache practices, then security@ is the >>> place to go. >>> >> >> Yes, but not the point. >> >>>> So I'm proposing that a couple Apache members step up to the plate on >>>> this as well. What do you say? >>> >>> The point of incubation is to show a healthy community that manages itself. >>> So I'm looking to the PPMC to be handling this yourselves. That said, >>> trying to attract new contributors - especially ones who are familiar with >>> the Apache Way - is always a good idea. >>> >> >> Maybe someone else can explain this better, since I'm obviously >> failing to get my point across here. If no one else cares, then >> that's fine too. >> >>> I certainly plan to review the ooo-security@ list periodically to see how >>> it's operating, as a mentor, but currently that's to prove to myself that >>> the project's members are acting responsibly, not necessarily to do the >>> project's work for it. >>> >>> - Shane >>> >>> >>>> >>>> -Rob >>>> >>>> >>>>> NOTE I'm not asking for a full strategy in the report, just a >>>>> statement indicating whether or not the PPMC feels that it owns these >>>>> issues. If it doesn't want to own them then who does? >>>>> >>>>> Ross >>>>> >>>>> On 7 October 2011 15:33, Shane Curcuru<a...@shanecurcuru.org> wrote: >>>>>> >>>>>> Tip: the board always appreciates well written reports that follow these >>>>>> reporting guidelines: >>>>>> >>>>>> http://www.apache.org/foundation/board/reporting >>>>>> >>>>>> - Shane >>>>>> >>>>>> On 10/5/2011 8:05 PM, Alexandro Colorado wrote: >>>>>>> >>>>>>> Added some items for the October report for OOo. Feel free to chip in. >>>>>>> >>>>>>> >>>>>>> http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10 >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Ross Gardler (@rgardler) >>>>> Programme Leader (Open Development) >>>>> OpenDirective http://opendirective.com >>>>> >>> > > -- Ross Gardler (@rgardler) Programme Leader (Open Development) OpenDirective http://opendirective.com
