I think it is important to appreciate that project participation on ooo-security does require membership on the [P]PMC. The security@ apache.org list also has oversight on ooo-security@ i.a.o.
The work on ooo-security has accountability to the PPMC. There are special arrangements that go with developing and slip-streaming fixes into releases and staging disclosure. Even after repairs in a release are disclosed, much of the activity and many details remain behind-the-scenes. In order to support intake of new ooo-security contributors, provide for backup of responsibilities within the team, and also clarify how the security team accounts to the [P]PMC, the working of these arrangements probably needs to be documented in some way (without discussing vulnerabilities themselves), including the approach to cooperation with those reporting vulnerabilities/exploits and coordination with other projects (mainly via the officesecurity@ lists.freedesktop.org list) on cases of mutual importance -- a common occurrence. - Dennis -----Original Message----- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Sunday, September 09, 2012 09:46 To: ooo-dev@incubator.apache.org Subject: Re: Volunteers needed to pickup some tasks Hi, Some comments on the coverage so far. On Sep 7, 2012, at 10:50 PM, Rob Weir wrote: [ ... ] > 3. Taking the lead on the AOO Security team, tracking vulnerability > reports, writing disclosure bulletins, coordinating with security > analysts and related open source projects. Here is where we need volunteers. This is an area where of necessity little is known of the activity until a release is made. It is a developer / tester area. [ ... ]