On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher <dave2w...@comcast.net> wrote: > > On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: > >> On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton >> <dennis.hamil...@acm.org> wrote: >>> Oh, and the most important part: >>> >>> In want way is the AOOo party to the consensus that is reached? That >>> ooo-security (an agent of the PPMC, essentially) will participate in the >>> described community arrangement if established? Something else? >>> >> >> It would be good to also include in the proposal how IP will be >> treated. By my reading of the iCLA this would not be covered, since >> it is not an Apache list. We'd need to make some other agreement, >> take it to legal-discuss, etc. > > I'm not so sure. >
Think of it this way: where else at Apache is it permissible for an Incubation project to collaborate on project code on a private non-Apache list, with no agreement on license, no mentor visibility, and no audit trail for Apache members to inspect? This doesn't sound like the kind of diligence Apache projects traditionally give to IP issues everywhere else. We owe it to our users and ourselves to get this right. > ooo-security is responsible for assuring that security fixes for AOOo are AL2 > compatible. If the shared security group is not producing compatible IP in > response to a security threat that is a different problem. If it happens > often then ooo-security will need to discuss this with ooo-private. > Putting the responsibility on ooo-security members in such an untenable situation will only lead to the resignation of ooo-security members. I think we need some way to enforce this. >From what I'm reading, not even Apache committers who have signed the iCLA are bound to the iCLA for contributions made on some ad-hoc, private, non-Apache list. > We can make it a mission statement of this group to help all the peers > produce fixes that are compatible with their licenses. I don't think we can > guarantee all individuals on the team will be able to always do so. Requiring > such an affirmation is clearly a blocker for some individual's participation. > I think then we need to weight having a smashing fun party with LO hackers in a private, unauditable list with no license discipline versus Apache's primary mission of producing software for public use under the Apache 2.0 license. The alternative is to step back, realize that Florian has confused what the PPMC position is on securityteam participation and take that route. Since that would be an Apache list, AOOo committers would already be covered. And we could cover the remaining users via a Terms of Use statement for the list. -Rob > Regards, > Dave > >> >>> I think that would be essential to bringing this to a successful conclusion. >>> >>> -----Original Message----- >>> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] >>> Sent: Tuesday, October 25, 2011 15:45 >>> To: 'ooo-dev@incubator.apache.org' >>> Cc: 'Dave Fisher' >>> Subject: RE: [proposal] Neutral / shared security list ... >>> >>> Dave, if you are going to do that, just relabeling a thread is not helpful. >>> >>> Please compose a specific concrete proposal under a [DISCUSS], and announce >>> the duration and end-time for a lazy consensus at the top. >>> >>> Give it at least 3 full 24-hour calendar days. >>> >>> I don't have any sense that there is alignment yet, but there may be in >>> that time and I am happy to be mistaken. Then at the end, if there is a >>> consensus, please report what it is. >>> >>> - Dennis >>> >>> -----Original Message----- >>> From: Dave Fisher [mailto:dave2w...@comcast.net] >>> Sent: Tuesday, October 25, 2011 15:35 >>> To: ooo-dev@incubator.apache.org >>> Cc: flo...@documentfoundation.org >>> Subject: Re: [proposal] Neutral / shared security list ... >>> >>> Hi - >>> >>> Sorry to reply to myself. >>> >>> Even though there are choices in this email. Please view it as a proposal. >>> Where we are seeking lazy consensus. >>> >>> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: >>> >>>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: >>>> >>>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <dave2w...@comcast.net> >>>>> wrote: >>>>> >>>>>> >>>>>> Agreed. We need to pick a neutral domain name. office-security.org is >>>>>> apparently free. >>>>>> >>>>>> Some institution needs to buy domain registration. I've been the >>>>>> volunteer >>>>>> registrar for a social groups domain, it is a pain to transition. This >>>>>> needs >>>>>> to be an institution, it could be Team OOo? >>>>>> >>>>> >>>>> I think they are too close to the matter. SPI exists specifically to hold >>>>> assets in trust - perhaps they would hold the registration for us all? If >>>>> we agree I'd be happy to volunteer to contact them. >>>>> >>>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are >>>>> both >>>>> on the Board at present. >>>> >>>> These are both interesting ideas. >>> >>> The proposal is to pick a domain and get registration Simon volunteers to >>> help. >>> >>> >>>> >>>>> >>>>> >>>>>> >>>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests >>>>>> that the ASF could be that ISP for free. >>>> >>>> <slight snip/> >>>> >>>> And: >>>> >>>> <insert> >>>> >>>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: >>>> >>>> <snip/> >>>> >>>>> >>>>> If we basically agree that such a list as outlined by me is a way to go, >>>>> I am happy to ask a friend of mine who has a very good reputation in >>>>> being a mail server, mailing list and security expert, with a very good >>>>> track record, including all sorts of certifications. He is offering >>>>> e-mail services as business. >>>>> >>>>> I just don't want to spread the name publically without asking him first, >>>>> and I don't want to ask him, before we have some common understanding. :-) >>>>> >>>> >>>> >>>> </insert> >>> >>> The proposal is for the exiting securityteam to choose, the above are two >>> possibilities. >>> >>> >>>> >>>> >>>>>> >>>>>> securityteam@oo.o is migrated to whatever the new list is, and those >>>>>> people start administrating. >>>>>> >>>>>> I think it is very important for the public to know who all of the >>>>>> projects >>>>>> are on the shared ML. >>> >>> I propose that this shared security team provide a list of participating >>> peers to the public. >>> >>>>>> >>>>>> Are we done already :-) >>>> >>>> Let's let the world revolve to see if we have some Consensus. >>> >>> Revolve 3x or 72 hours. >>> >>> Regards, >>> Dave >>> >>>> >>>> Regards, >>>> Dave >>>> >>>>>> >>>>>> Regards, >>>>>> Dave >>>>>> >>>>>>> >>>>>>> That is fair to anyone, does not exclude anyone, does not benefit one >>>>>>> over the other -- it's easy, simple, and the best way to go. Sure, >>>>>>> everyone can create own aliases pointing to that list, but the core is >>>>>>> the same, and that's what matters. >>>>>>> >>>>>>> If you folks now start complaining about we don't trust Apache, we can >>>>>>> answer by complaining you don't trust TDF and so on. It's a horrible >>>>>>> waste of time, it's lame, it does not help anyone, and it makes me doubt >>>>>>> we're talking amongst adults, seriously. >>>>>>> >>>>>>> And, really, all this crap being tossed around about trustworthiness, >>>>>>> upstream, downstream, code similarities and insults is worth not even >>>>>>> the digital paper it's written on. >>>>>>> >>>>>>> I made a simple, plain, and easy proposal. Don't make things overly >>>>>>> complicated, folks. >>>>>>> >>>>>>> Thanks for considering, >>>>>>> Florian >>>>>>> >>>>>>> -- >>>>>>> Florian Effenberger <flo...@documentfoundation.org> >>>>>>> Steering Committee and Founding Member of The Document Foundation >>>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108 >>>>>>> Skype: floeff | Twitter/Identi.ca: @floeff >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Simon Phipps >>>>> +1 415 683 7660 : www.webmink.com >>>> >>> >>> > >
