date:20120412

On 12 April 2012 06:43, William A. Rowe Jr. wr...@rowe-clan.net wrote:
 On 4/11/2012 2:36 PM, Jukka Zitting wrote:


...

 As chair, you should have been brought into this loop, but with the
 change from Noel I can see how this oversight happened.  Sorry about
 that.  It's probably another example why the current infrastructure
 schema simply isn't plausible.

Under normal circumstances I would agree. However, when this was
happening it was in the middle of the IPMC blow-up and there was,
effectively, no chair. Officially it would have been Noel, who, at the
time was in a difficult place. As one of the mentors involved I felt
it was not necessary to add to his concerns. In retrospect that may
not have been the best decision.

Ross

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote:

...

 Sorry, I can't remain mute, but I offended anyone, sorry, but this was 
 wrongly done. I don't know a better way

As one of the inner circle I am not offended. All your points are
valid. Thank you for sharing them.

This was the first and, in all likelihood the last time such an
unusual circumstance will arise. There is no right or wrong way of
handling these things.

Had we included x then y would have felt excluded, this is what we are
seeing here. However, the line must be drawn somewhere.

If there is a problem from the project perspective then this should be
dealt with in the ooo-dev list. the PPMC has an appointed security
team who are empowered to handle these circumstances for the PPMC, if
a member of the PPMC does not like the way this was handled then they
should petition to become a member of that security team.

From an IPMC perspective please note that the decision for in-out was
not a matter of trust, it was a matter of minimum necessary oversight
to solve the problem in the way the ooo-security, advised by the ASF
security  team, wanted to do so.

The only non-security people involved were myself (as an active mentor
and initial contact for the PPMC security team), Shane (due to
potential branding impact) and Joe (for infrastructure support). VP
legal was also involved via the legal-internal list for obvious
reasons. Noone else was *needed* and so noone else was involved. Under
normal circumstances IPMC chair would be included, but we effectively
had none at this point, officially it was Noel, but Noel was being
attacked from all sides at this point and his style of leadership was
to have people just get on with it. If Jukka were chair with his
active leadership style things might have been different.

In retrospect I believe a valid argument for involving all mentors can
be made and, if I were involved in such a situation again I would
probably want to do so. Having said that, if I saw someone handle it
the same way as this situation was handled I would not be objecting.
There is no right way.

Ross

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Daniel Shahaf

Dave Fisher wrote on Wed, Apr 11, 2012 at 23:48:05 -0700:
 Sorry, I can't remain mute, but I offended anyone, sorry, but this was
 wrongly done. I don't know a better way

What about expanding the membership of ooo-security@?  Currently it has
less than 10 subscribers.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread ant elder

On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
rgard...@opendirective.com wrote:
 On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote:

 ...

 Sorry, I can't remain mute, but I offended anyone, sorry, but this was 
 wrongly done. I don't know a better way

 As one of the inner circle I am not offended. All your points are
 valid. Thank you for sharing them.

 This was the first and, in all likelihood the last time such an
 unusual circumstance will arise. There is no right or wrong way of
 handling these things.

 Had we included x then y would have felt excluded, this is what we are
 seeing here. However, the line must be drawn somewhere.


Surely at the ASF the line is at PMC membership. If only a subset of
the PPMC is trusted enough to be part of some inner circle then the
PPMC should be disbanded and reformed from just that inner circle.
Equally for the Incubator PMC, if Noel or who ever was chair should
have been told then the Incubator PMC should have been included.

   ...ant

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread ant elder

On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler
rgard...@opendirective.com wrote:
 On 12 April 2012 09:27, Ross Gardler rgard...@opendirective.com wrote:
 On 12 April 2012 08:59, ant elder ant.el...@gmail.com wrote:
 On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
 rgard...@opendirective.com wrote:
 On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote:

 ...

 Sorry, I can't remain mute, but I offended anyone, sorry, but this was 
 wrongly done. I don't know a better way

 As one of the inner circle I am not offended. All your points are
 valid. Thank you for sharing them.

 This was the first and, in all likelihood the last time such an
 unusual circumstance will arise. There is no right or wrong way of
 handling these things.

 Had we included x then y would have felt excluded, this is what we are
 seeing here. However, the line must be drawn somewhere.


 Surely at the ASF the line is at PMC membership. If only a subset of
 the PPMC is trusted enough to be part of some inner circle then the
 PPMC should be disbanded and reformed from just that inner circle.

 This is a podling with a very unusual history. it is not as simple as
 that. However, your general observation is a valid one. The time for
 addressing this is during incubation when it becomes possible to
 determine who is contributing positively to the running of the PPMC.

 I should also point out that the perception that information was kept
 to a limited group implies mistrust of PPMC members is *false*. The
 PPMC have an appointed security team just as many top level PMCs do
 that team is tasked with handling security issues and it did so in
 this case.

 As has been noted, this was *not* an ASF release, only one
 *facilitated* by the ASF in the interests of supporting legacy users
 of a project that has come to incubation. It is a very unusual
 situation to which normal ASF policy does not apply. Handling it
 outside normal ASF processes does not imply a problem with those
 processes or the PPMC.

 Ross


Ross, I'm not trying to stick an oar in or anything and i don't know
the details of what was done other than whats in this thread here, it
just seems odd to me and it seems like there is some acknowledgement
that this wasn't done perfectly so we the Incubator PMC should
understand what happened. Sure there are other security teams but
AFAIK they operate in conjunction with PMCs and keep PMCs in the loop
that something is going on just withholding precise details of the
vulnerability.

   ...ant

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6

2012-04-12 Thread Karl Wright

+1 from me (binding).

Karl

On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe
shinichiro.ab...@gmail.com wrote:
 Hi,

 Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6.
 This RC has passed our podling vote and awaits your inspection.

 You can download the release candidate from
 http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC6/
 and there is also a tag in svn under
 https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubating-RC6/.

 It has done improvements for its distribution(bin,lib,src)
 and build process as to core dependencies.

 Thank you,
 Shinichiro Abe
 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6

2012-04-12 Thread Tommaso Teofili

+1 (binding),
Tommaso

2012/4/12 Karl Wright daddy...@gmail.com

 +1 from me (binding).

 Karl

 On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe
 shinichiro.ab...@gmail.com wrote:
  Hi,
 
  Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6.
  This RC has passed our podling vote and awaits your inspection.
 
  You can download the release candidate from
 
 http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC6/
  and there is also a tag in svn under
 
 https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubating-RC6/
 .
 
  It has done improvements for its distribution(bin,lib,src)
  and build process as to core dependencies.
 
  Thank you,
  Shinichiro Abe
  -
  To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
  For additional commands, e-mail: general-h...@incubator.apache.org
 

 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Jena LARQ 1.0.0-incubating

2012-04-12 Thread Paolo Castagna

ping

We still need one vote here.
Anyone willing to take a look at LARQ RC-1?
http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/

Thanks,
Paolo

Paolo Castagna wrote:
 Thank you Leo, thank you Benson.
 We still need one vote, I think...
 
 Cheers,
 Paolo
 
 Leo Simons wrote:
 On Sun, Apr 1, 2012 at 9:48 PM, Paolo Castagna
 castagna.li...@googlemail.com wrote:
 here is a vote on a release for Apache Jena LARQ module:
 jena-larq-1.0.0-incubating.
 ...
 Proposed files and structure to merge with existing dist/ area:
 http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/
 +1

 cheers,

 Leo

 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org



-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

Hi,

On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr.
wr...@rowe-clan.net wrote:
 Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that
 can't happen with an incubating podling.  Everything under the space
 /dist/ must exist under a PMC.

I totally agree for proper releases (with a source archive) blessed by
the PMC (on private@ if needed). However, this was neither, so I find
using the same location a bit troublesome.

Anyway, it sounds like the case was handled reasonably well under some
fairly challenging constraints, so I'm not too worried about  details
like this as long as this remains a one-off special case. I only
wanted to bring this up to make sure this doesn't become a standard
procedure without a broader discussion of how cases like this should
be handled.

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] CloudStack for Apache Incubator

Hi,

On Tue, Apr 10, 2012 at 3:32 AM, Kevin Kluge kevin.kl...@citrix.com wrote:
 I'd like to call for a VOTE for CloudStack to enter the Incubator.

+1: accept CloudStack into Incubator

PS. Unless you've already done so, please get in touch with the ASF
infra team as soon as possible on the various infrastructure topics
mentioned. Experience from other complex podlings suggests that the
infrastructure migration may take months and be somewhat painful
unless properly planned and managed.

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 9:07 AM, Jukka Zitting jukka.zitt...@gmail.com wrote:
 Hi,

 On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr.
 wr...@rowe-clan.net wrote:
 Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that
 can't happen with an incubating podling.  Everything under the space
 /dist/ must exist under a PMC.

 I totally agree for proper releases (with a source archive) blessed by
 the PMC (on private@ if needed). However, this was neither, so I find
 using the same location a bit troublesome.

 Anyway, it sounds like the case was handled reasonably well under some
 fairly challenging constraints, so I'm not too worried about  details
 like this as long as this remains a one-off special case. I only
 wanted to bring this up to make sure this doesn't become a standard
 procedure without a broader discussion of how cases like this should
 be handled.


If there is anything worth additional consideration, it would be how
to handle large incubation projects, where the time to initial Apache
release is long enough that there is a possibility or even likelihood
of needing to release a security patch for a legacy version of the
product.  In some cases the original sponsors of the project are still
around and can continue to do this kind of maintenance. In other
cases, as with OpenOffice, this is not true.

I'd recommend that future podlings, and the IPMC, consider this aspect
when reviewing new podling applications.  It should probably be
treated explicitly in the wiki proposal for podlings that expect to
take more than 3 or 4 months to get to their first release.

Regards,

-Rob

 BR,

 Jukka Zitting

 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On 12 April 2012 15:05, Rob Weir robw...@apache.org wrote:

 I'd recommend that future podlings, and the IPMC, consider this aspect
 when reviewing new podling applications.  It should probably be
 treated explicitly in the wiki proposal for podlings that expect to
 take more than 3 or 4 months to get to their first release.

This makes a great deal of sense. It will not prevent the problem
occurring but it will minimise the surprises if a similar situation
were to arrive. That being said I'm not sure what would have been
written in the AOO proposal back in July. But at least we would have
identified the likelihood that the ASF would need to distribute or the
project would need to find a distribution channel and thus pre-warned
of a potential situation arising.

Ross

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Jena LARQ 1.0.0-incubating

2012-04-12 Thread Richard Frovarp


On 04/12/2012 07:33 AM, Paolo Castagna wrote:

ping

We still need one vote here.
Anyone willing to take a look at LARQ RC-1?
http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/

Thanks,
Paolo


+1 binding

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Daniel Shahaf

/me wondering if any of this feedback ever got channeled back to
security@?  (or was it only on @incubator lists)

Jukka Zitting wrote on Thu, Apr 12, 2012 at 15:07:56 +0200:
 Hi,
 
 On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr.
 wr...@rowe-clan.net wrote:
  Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that
  can't happen with an incubating podling.  Everything under the space
  /dist/ must exist under a PMC.
 
 I totally agree for proper releases (with a source archive) blessed by
 the PMC (on private@ if needed). However, this was neither, so I find
 using the same location a bit troublesome.
 
 Anyway, it sounds like the case was handled reasonably well under some
 fairly challenging constraints, so I'm not too worried about  details
 like this as long as this remains a one-off special case. I only
 wanted to bring this up to make sure this doesn't become a standard
 procedure without a broader discussion of how cases like this should
 be handled.
 
 BR,
 
 Jukka Zitting
 
 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org
 

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Giraph status (Was: [Incubator Wiki] Update of April2012 by OwenOmalley)

Hi,

On Thu, Apr 12, 2012 at 6:44 AM, Owen O'Malley omal...@apache.org wrote:
 On Wed, Apr 11, 2012 at 4:30 PM, Jukka Zitting jukka.zitt...@gmail.com 
 wrote:
 Looking at the report and recent project activity it looks like Giraph
 is doing pretty well. In fact I can't spot any obvious graduation
 blockers. Anything I'm missing? If not, have you already started
 preparing for graduation?

 We haven't started yet, but I was thinking along similar lines.

OK, cool.

 Should I start a vote on the dev list?

Probably best to start with a discuss thread for the community and
then move through the process as described in [1] if the consensus is
that the community is ready to graduate.

[1] http://incubator.apache.org/guides/graduation.html

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Dennis E. Hamilton

I don't think the problem is with the size of the ooo-security list membership. 
 I think it is in the assumption that the [P]PMC has somehow delegated the 
ability to make a release of any kind to the ooo-security team.  I don't mean 
slip-streaming fixes and working off the public SVN until that happens.  I mean 
developing and deploying all the rest of what accompanies an advisory along 
with provision of a mitigation.

The breakdowns were not in analyzing the reported vulnerability and the 
proof-of-exploit that accompanied it.  I assume that ooo-security acquitted 
itself well in that regard as well as with the coordination with other parties, 
including ones external to Apache, having common concerns.  The breakdown was 
in all of the non-security considerations and assumptions, even though they 
needed to be developed in confidence.  The PPMC would have provided a proper 
arena for working that out.

The PPMC has much to offer concerning the announcement of CVEs and the 
appropriate coordination and form of patch releases/updates.  Those with 
valuable perspective on the deployment strategy and its support might have no 
sense of the technical work that ooo-security members undertake.

There was nothing about this particular vulnerability that made it dangerous 
for the PPMC to know about it and the approach being taken to release an 
ASF-appropriate patch.  The exploit is by crafting an ODF 1.2 document and all 
unpatched OO.o 3.x (and LibreOffice 3.x) installations remain vulnerable.  I 
think it is safe to presume that there are, at this moment, significantly more 
unpatched installations than patched ones and I see that as a greater concern, 
if there is any, than consultation and review by the PPMC before the public 
advisory and patch release.  A significant number of people external to the 
PPMC, including non-experts and those who may see themselves as competitors, 
knew about this prior to the announcement and there does not appear to have 
been any damage.  

 - Dennis

PS: I followed the public back-and-forth about the operation of security lists 
and venues for security coordination that Dave Fisher feels embarrassed about.  
I don't think it matters.  Whether there was a way for the Apache OpenOffice 
project to issue repairs to OpenOffice.org distributions, or not, did not seem 
to be a significant feature of the dispute as I followed it.  Indeed, knowledge 
of the possibility of an ASF patch was not a fact that could be used as a 
counter-point.  Announcement of the particular vulnerability that was going to 
be dealt with by ASF in that manner was still under embargo.  
   It remains a valid point that those who can't wait for a stable Apache 
OpenOffice release to satisfy their security concerns, especially on Linux 
where there is still no Apache patch, might want to look to other distributions 
whose current releases have that and other vulnerabilities repaired.  It all 
depends.

-Original Message-
From: ant elder [mailto:ant.el...@gmail.com] 
Sent: Thursday, April 12, 2012 02:04
To: general@incubator.apache.org
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler
rgard...@opendirective.com wrote:
 On 12 April 2012 09:27, Ross Gardler rgard...@opendirective.com wrote:
 On 12 April 2012 08:59, ant elder ant.el...@gmail.com wrote:
 On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
 rgard...@opendirective.com wrote:
 On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote:
[ ... ]
 Sorry, I can't remain mute, but I offended anyone, sorry, but this was 
 wrongly done. I don't know a better way
[ ... ]
 Surely at the ASF the line is at PMC membership. If only a subset of
 the PPMC is trusted enough to be part of some inner circle then the
 PPMC should be disbanded and reformed from just that inner circle.

 This is a podling with a very unusual history. it is not as simple as
 that. However, your general observation is a valid one. The time for
 addressing this is during incubation when it becomes possible to
 determine who is contributing positively to the running of the PPMC.

 I should also point out that the perception that information was kept
 to a limited group implies mistrust of PPMC members is *false*. The
 PPMC have an appointed security team just as many top level PMCs do
 that team is tasked with handling security issues and it did so in
 this case.

 As has been noted, this was *not* an ASF release, only one
 *facilitated* by the ASF in the interests of supporting legacy users
 of a project that has come to incubation. It is a very unusual
 situation to which normal ASF policy does not apply. Handling it
 outside normal ASF processes does not imply a problem with those
 processes or the PPMC.

 Ross


Ross, I'm not trying to stick an oar in or anything and i don't know
the details of what was done other than whats in this thread here, it
just seems odd

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security team. 
  I don't mean slip-streaming fixes and working off the public SVN until that 
 happens.  I mean developing and deploying all the rest of what accompanies an 
 advisory along with provision of a mitigation.

 The breakdowns were not in analyzing the reported vulnerability and the 
 proof-of-exploit that accompanied it.  I assume that ooo-security acquitted 
 itself well in that regard as well as with the coordination with other 
 parties, including ones external to Apache, having common concerns.  The 
 breakdown was in all of the non-security considerations and assumptions, even 
 though they needed to be developed in confidence.  The PPMC would have 
 provided a proper arena for working that out.

 The PPMC has much to offer concerning the announcement of CVEs and the 
 appropriate coordination and form of patch releases/updates.  Those with 
 valuable perspective on the deployment strategy and its support might have no 
 sense of the technical work that ooo-security members undertake.


Dennis, if the PPMC wishes to make any changes to the patch, or the
documentation, or the announcement, or the website related this patch,
they have had that ability for nearly a month now.  But no one,
including yourself, has offered one change.  A lot of criticism,
certainly, but no patches. The actions (or inaction) of the PPMC since
this patch was announced proves the point.  It was good enough, and no
one -- including you -- has ventured to raise a finger to improve any
of the patch materials.

-Rob

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Kitty status (Was: [Incubator Wiki] Update of April2012 by AlessandroNovarini)

Hi,

Thanks for the report, Kitty!

On Thu, Apr 5, 2012 at 6:10 PM, Apache Wiki wikidi...@apache.org wrote:
 + In order to get graduated, Kitty needs the following features:
 + 1) The ability to save profiles of commonly connected to jmx servers 
 including groups of tomcat servers
 + 2) The ability to collect metrics on an aggregate group of JMX servers

Note that neither of these is a graduation issue from the Incubator
perspective. What we're interested in is whether the community is
diverse and active, whether any IP issues have been cleared, and
whether the community follows the Apache way and our policies.

 + The community hasn't grown since the last report.

Do you have plans on how to grow the community, or are you happy with
the status quo? After 1.5 years in incubation I'd love to see Kitty
having a clear plan towards graduation. Could you come up with
something like that for your next report?

How active and diverse is the current community? From your report it
sounds like more project activity is needed.

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread William A. Rowe Jr.

On 4/12/2012 2:59 AM, ant elder wrote:
 On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
 rgard...@opendirective.com wrote:
 On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote:

 ...

 Sorry, I can't remain mute, but I offended anyone, sorry, but this was 
 wrongly done. I don't know a better way

Don't, these concerns can and should be aired.  Any deviation from the
usual ASF practices should be defended (and defensible) or they should be
discarded.  I don't think you are wrong to be disturbed by the process,
but I do expect most of the AOOo PPMC will find what actually transpired
was reasonable, under the circumstances, after you _all_ discuss it in
postmortem evaluation.  That's dev@ list business.

 As one of the inner circle I am not offended. All your points are
 valid. Thank you for sharing them.

 This was the first and, in all likelihood the last time such an
 unusual circumstance will arise. There is no right or wrong way of
 handling these things.

 Had we included x then y would have felt excluded, this is what we are
 seeing here. However, the line must be drawn somewhere.

 
 Surely at the ASF the line is at PMC membership. If only a subset of
 the PPMC is trusted enough to be part of some inner circle then the
 PPMC should be disbanded and reformed from just that inner circle.
 Equally for the Incubator PMC, if Noel or who ever was chair should
 have been told then the Incubator PMC should have been included.

I'll refer to httpd, since it has the longest track record of security
incident handling.  There is about 1/4 of the httpd PMC who choose to be
active as part of the security list.  That group will go to the effort
to respond to reports, test reported defects, write patches, test patches
and help get the trunk or branch into some state that we can have a release.

If the incident is (or becomes) publicly known, the security@ list wipes
their hands of it, this mechanism is only used for embargoed issues.
There is sometimes a parallel discussion on security@ when a publicly
discussed flaw or patch has undisclosed security implications, but that's
pretty rare.

Well over half of the httpd PMC doesn't participate a whole lot in the
first place, including voting on release candidates, so expanding the
knowledge of undisclosed vulnerabilities to that group makes zero sense.
As a PMC member, any of them would be welcome to join the security team,
just as any can leave it if they don't have time or interest to follow
the security space.

I don't think we can compare the current AOOo situation; the PMC here
is effectively the IPMC, the only group of people with binding votes.
95% of that PMC should not have had advance knowledge of the specifics
of these defects, because 95% have little to do with AOOo on a daily
basis.  The people who would do the testing/verification/patch authoring
and further testing and verification needed to be on that list, but of
course are not binding PMC members [yet].  And of course there are even
meta security lists of lists in this case, owing to multiple projects
which are based on the common source code and subject to the same or very
similar defect exposures.

So the AOOo has assembled a hybrid model of some mentors and some of those
committed developers.  Certainly the project is going to refine policy going
forwards.  If I could do it over at httpd, I'd suggest anyone who has not
participated in the resolution of the past 'X' defects would be booted from
that security team.  [Gently nudged off might be more diplomatic.]  Perhaps
some combination of incidents and period of time.  security@ participation
is not some privilege, it's added responsibility to the PMC and project by
each of its subscribers.

But the point is that simply for issues of email transport compromise,
the people subscribed to that list need to pay extra attention to strictly
using ssl transport rather than plain text over public and private networks,
and that list needs to be broadcast to those people who will act on those
security emails, and to absolutely nobody else.

AOOo will continue to refine its practices in security@ handling, and I'd
trust them to make balanced and measured compromises from what I've observed
so far in my role on the ASF Security Team.  Upon becoming a TLP it will be
much easier to balance karma, authority and responsibility for security fixes,
and these will come much more organically from a then-shipping ASF package
which already had been released by the whole of the PMC.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Dennis E. Hamilton

@Rob,

In fact, I posted to ooo-dev and ooo-users information on the significance of 
the vulnerability and ways to mitigate it.

I was unsuccessful in posting instructions, after several failed attempts, for 
applying the patch on Windows XP where the dialogs are different and have 
different consequences than described in the Windows-patch PDF, which gives 
instructions for Windows 7.  (This has to do with an over-zealous spam filter 
on our lists and I could not get around it.)  I have however put what I could 
on the Media Wiki as the basis for a possible FAQ, using 
http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037).

I can't do anything about the fact that the need for a Linux patch has not been 
resolved.  I can't do anything about the fact that the patch requires the 
confidence and experience of a power user to apply on any platform.  I 
understand why that is; I can't do anything about it myself beyond attempt to 
provide supporting information and supplementary instructions.  

And I, am, of course, a volunteer here.

I also don't see what that has to do with the relationship between the PPMC and 
ooo-security.  That's about getting many eyes, not about where orcmid might 
exercise his heroic super powers.

 - Dennis

-Original Message-
From: Rob Weir [mailto:robw...@apache.org] 
Sent: Thursday, April 12, 2012 09:46
To: general@incubator.apache.org
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security team. 
  I don't mean slip-streaming fixes and working off the public SVN until that 
 happens.  I mean developing and deploying all the rest of what accompanies an 
 advisory along with provision of a mitigation.

 The breakdowns were not in analyzing the reported vulnerability and the 
 proof-of-exploit that accompanied it.  I assume that ooo-security acquitted 
 itself well in that regard as well as with the coordination with other 
 parties, including ones external to Apache, having common concerns.  The 
 breakdown was in all of the non-security considerations and assumptions, even 
 though they needed to be developed in confidence.  The PPMC would have 
 provided a proper arena for working that out.

 The PPMC has much to offer concerning the announcement of CVEs and the 
 appropriate coordination and form of patch releases/updates.  Those with 
 valuable perspective on the deployment strategy and its support might have no 
 sense of the technical work that ooo-security members undertake.


Dennis, if the PPMC wishes to make any changes to the patch, or the
documentation, or the announcement, or the website related this patch,
they have had that ability for nearly a month now.  But no one,
including yourself, has offered one change.  A lot of criticism,
certainly, but no patches. The actions (or inaction) of the PPMC since
this patch was announced proves the point.  It was good enough, and no
one -- including you -- has ventured to raise a finger to improve any
of the patch materials.

-Rob

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 2:54 PM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
@Rob,

In fact, I posted to ooo-dev and ooo-users information on the significance of
the vulnerability and ways to mitigate it.

Yes, after the official security bulletin went out to those same lists. Thanks.

I was unsuccessful in posting instructions, after several failed attempts,
for applying the patch on Windows XP where the dialogs are different and have
different consequences than described in the Windows-patch PDF, which gives
instructions for Windows 7. (This has to do with an over-zealous spam filter
on our lists and I could not get around it.) I have however put what I could
on the Media Wiki as the basis for a possible FAQ, using
http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037).

The security bulletin is in SVN. You can use the CMS or check in the
fix directly. Or post to BZ as a patch. There is no need for a spam
filter on the lists to get in your way.

I can't do anything about the fact that the need for a Linux patch has not
been resolved. I can't do anything about the fact that the patch requires
the confidence and experience of a power user to apply on any platform. I
understand why that is; I can't do anything about it myself beyond attempt to
provide supporting information and supplementary instructions.

There are others in the PPMC who could do these things if they thought
it was important to do so. In fact, the definition of important is
pretty much synonymous with it gets someone to take action.

And I, am, of course, a volunteer here.

I also don't see what that has to do with the relationship between the PPMC
and ooo-security. That's about getting many eyes, not about where orcmid
might exercise his heroic super powers.

But I hope you see my point. If neither you nor anyone else on the
PPMC has thought it important to address these issues in the month
since the patch has been public, then I do not think that the same
PPMC members would have addressed these concerns if the security team
gave them a heads up a day or two earlier. Or a week earlier.
Evidently even a month is not even enough.

-Rob

- Dennis

-Original Message-
From: Rob Weir [mailto:robw...@apache.org]
Sent: Thursday, April 12, 2012 09:46
To: general@incubator.apache.org
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki]
Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
I don't think the problem is with the size of the ooo-security list
membership. I think it is in the assumption that the [P]PMC has somehow
delegated the ability to make a release of any kind to the ooo-security
team. I don't mean slip-streaming fixes and working off the public SVN
until that happens. I mean developing and deploying all the rest of what
accompanies an advisory along with provision of a mitigation.

The breakdowns were not in analyzing the reported vulnerability and the
proof-of-exploit that accompanied it. I assume that ooo-security acquitted
itself well in that regard as well as with the coordination with other
parties, including ones external to Apache, having common concerns. The
breakdown was in all of the non-security considerations and assumptions,
even though they needed to be developed in confidence. The PPMC would have
provided a proper arena for working that out.

The PPMC has much to offer concerning the announcement of CVEs and the
appropriate coordination and form of patch releases/updates. Those with
valuable perspective on the deployment strategy and its support might have
no sense of the technical work that ooo-security members undertake.

Dennis, if the PPMC wishes to make any changes to the patch, or the
documentation, or the announcement, or the website related this patch,
they have had that ability for nearly a month now. But no one,
including yourself, has offered one change. A lot of criticism,
certainly, but no patches. The actions (or inaction) of the PPMC since
this patch was announced proves the point. It was good enough, and no
one -- including you -- has ventured to raise a finger to improve any
of the patch materials.

-Rob

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

Hi,

On Thu, Apr 12, 2012 at 8:37 PM, William A. Rowe Jr.
wr...@rowe-clan.net wrote:
 - at least the IPMC chair should be involved, if not the whole IPMC

 That can be remedied today.  Jukka, if you like, please join the ASF
 wide security team, at minimum as an observer.

Thanks, but I'd rather not have to worry about securing my inbox
against hackers looking for zero-day exploits. :-/

Personally I'm fine with after-the-fact oversight like now with the
OpenOffice report. I think we can trust the security team and other
involved people to make decisions without active interference or
real-time observation. If it turns out that in retrospect some things
could have been handled better, we can handle that with feedback from
threads like this one.

If there are cases where more active oversight or feedback is desired
(for example if there's a hint that a broader range of projects is
affected by an issue, or there's some complex licensing issue
regarding a newly incubated project), I'd rather have the security
team explicitly reach out and ask for more involvement from us in
specific cases.

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread William A. Rowe Jr.

On 4/12/2012 2:37 AM, Daniel Shahaf wrote:
 Dave Fisher wrote on Wed, Apr 11, 2012 at 23:48:05 -0700:
 Sorry, I can't remain mute, but I offended anyone, sorry, but this was
 wrongly done. I don't know a better way
 
 What about expanding the membership of ooo-security@?  Currently it has
 less than 10 subscribers.

That's ideal for a start.  The security team needs to escalate actual releases
to the private@ pmc list, if not the dev@ list at some point.  Joining the
security@ list isn't the answer to missing communications to private@.

That said, does it have the right ~10 subscribers?  Are more appropriate?

It seems that about 1/3 of the httpd PMC are on httds's list, while most
every tomcat PMC member is on tomcat's list.  The global ASF security team
list is actually smaller than either, and a handful of these are likely to
be ASF officers rather than specific committee members.  [Note that the ASF
wide list is a firehose of spam, it's not a pleasant place to hang out.]

So if ooo-security grows to 20 that shouldn't be surprising at all, but it
should be deliberate and measured based on specific contributions to finding
or fixing specific security defects, over a number of years.  It's another
list where merit can be helpful in helping it grow over time.


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Dennis E. Hamilton

Yes, this was already raised on the PPMC (on March 22) as you know.  It seems 
to me that the PPMC is not concerned.

It is interesting that it is thought, here, that the remedy is to add more 
ooo-security subscribers from the PPMC.  That had not come up before.

 - Dennis

-Original Message-
From: Ross Gardler [mailto:rgard...@opendirective.com] 
Sent: Thursday, April 12, 2012 12:41
To: general@incubator.apache.org; dennis.hamil...@acm.org
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
Update of April2012 by robweir)

On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security team. 
  I don't mean slip-streaming fixes and working off the public SVN until that 
 happens.  I mean developing and deploying all the rest of what accompanies an 
 advisory along with provision of a mitigation.


Whether this is the case or not should be discussed on the ooo-dev
lists rather than the IPMC general list. This is not an IPMC issue.
All IPMC members are free to join that list or read its archives if
they so desire.

Ross

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Any23 status (Was: [Incubator Wiki] Trivial Update of April2012 by LewisJohnMcgibbney)

2012-04-12 Thread Lewis John Mcgibbney

Hi Jukka,

On Tue, Apr 10, 2012 at 10:46 PM, Jukka Zitting jukka.zitt...@gmail.comwrote:

 Hi,

 Thanks for the report,  Any23!


No hassle, thank you for taking the time to criticize the report we are
working to make Any23 a more appealing project and the more we can do to
make reporting clearer, more accurate and helpful for you guys the better.



 On Mon, Apr 2, 2012 at 2:24 PM, Apache Wiki wikidi...@apache.org wrote:
  + Anything To Triples (any23) is a library, a web service and a command
 line tool that extracts
  + structured data in RDF format from a variety of Web documents. [...]

 This should be sufficient as the project description in the context of
 a board report. The list of supported formats, while interesting, is
 less relevant in this context.


+1. Noted and will be acted on in next reporting slot.



 Please also include a note of when Any23 entered incubation. I took
 the liberty of adding that information to your report.


Thank you



 Sounds like good progress!


Yes generally speaking, from a community POV the project is moving in the
right direction, for the time being we're witnessing a steady increase in
traction and really lookin forward to VOTE'ing on 0.7.0-incubating release.



 In future reports it would be good if you included the list of most
 important issues to solve before graduation. Your January report
 listed the following:


+1 this will also be addressed in next report.



  2. Develop a strong community with organizational diversity and with
  strong connections to other relevant ASF communities.

 Based on your current report it sounds like 1 is already solved and 3
 will be done shortly. What's your status on 2?

 My own opinion on this is that this will really kick in once we get the
aforementioned RC and subsequent release sorted. The future is bright for
Any23 as we've witnessed a gradual increase in semantic web type projects
entering incubation @ASF, and therefore the path to closer integration with
these projects in certainly on the road map. It is something that I
certainly look forward to.

OK I think this is all from me just now. Thanks again for your comments.

Lewis

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Dave Fisher


On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:

 Yes, this was already raised on the PPMC (on March 22) as you know.  It seems 
 to me that the PPMC is not concerned.
 
 It is interesting that it is thought, here, that the remedy is to add more 
 ooo-security subscribers from the PPMC.  That had not come up before.

Well I did raise it on ooo-private. My suggestion was to add someone who 
understood Linux distributions to ooo-security ASAP. I got blowback. This  was 
unfortunate. Since then we've had discussions about culture, politeness and 
apologies. There was some discussion about OpenOffice and Linux distro on 
ooo-dev, but more in context of the AOO release plans.

My frustration about not being informed was that no one gave even the slightest 
notice OFFLIST that there was a reason that certain people were asking the 
project questions and that things were not as I thought and I should move on 
and let the world revolve. This is particularly true since I responding with 
what I had every reason to believe was the project policy.

Emotions pass. What's the root cause? It's a communication problem, why was 
communication blocked?

If there are individuals on a PPMC that the podling security team and Mentors 
feel are not trustworthy enough that it is decided to forgo the minimal 
courtesy of keeping the PPMC informed to manage the process as Dennis described 
then perhaps the problem is with the PPMC membership itself.

Normally a podling will set the PMC as part the graduation resolution. Perhaps 
the AOO PPMC membership needs to be revised sooner. Any advice?

Regards,
Dave


 
 - Dennis
 
 -Original Message-
 From: Ross Gardler [mailto:rgard...@opendirective.com] 
 Sent: Thursday, April 12, 2012 12:41
 To: general@incubator.apache.org; dennis.hamil...@acm.org
 Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
 Update of April2012 by robweir)
 
 On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security 
 team.  I don't mean slip-streaming fixes and working off the public SVN 
 until that happens.  I mean developing and deploying all the rest of what 
 accompanies an advisory along with provision of a mitigation.
 
 
 Whether this is the case or not should be discussed on the ooo-dev
 lists rather than the IPMC general list. This is not an IPMC issue.
 All IPMC members are free to join that list or read its archives if
 they so desire.
 
 Ross
 
 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org
 
 
 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org
 


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher dave2w...@comcast.net wrote:

 On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:

 Yes, this was already raised on the PPMC (on March 22) as you know.  It 
 seems to me that the PPMC is not concerned.

 It is interesting that it is thought, here, that the remedy is to add more 
 ooo-security subscribers from the PPMC.  That had not come up before.

 Well I did raise it on ooo-private. My suggestion was to add someone who 
 understood Linux distributions to ooo-security ASAP. I got blowback. This  
 was unfortunate. Since then we've had discussions about culture, politeness 
 and apologies. There was some discussion about OpenOffice and Linux distro on 
 ooo-dev, but more in context of the AOO release plans.

 My frustration about not being informed was that no one gave even the 
 slightest notice OFFLIST that there was a reason that certain people were 
 asking the project questions and that things were not as I thought and I 
 should move on and let the world revolve. This is particularly true since I 
 responding with what I had every reason to believe was the project policy.

 Emotions pass. What's the root cause? It's a communication problem, why was 
 communication blocked?

 If there are individuals on a PPMC that the podling security team and Mentors 
 feel are not trustworthy enough that it is decided to forgo the minimal 
 courtesy of keeping the PPMC informed to manage the process as Dennis 
 described then perhaps the problem is with the PPMC membership itself.

 Normally a podling will set the PMC as part the graduation resolution. 
 Perhaps the AOO PPMC membership needs to be revised sooner. Any advice?


So step back, to when the podling received notice of our first
security report.  The Apache Security Team would not give it to the
PPMC, not even on ooo-private.  The issue was not the size of the PPMC
per se, or even its status as a podling.  The issue was the way in
which the initial committers were selected, that anyone could just
walk in off the street in essence, put their name down and be an
instant PPMC number.  Needless to say, a group of nearly 100 initial
committers formed that way is not the best way to have a secure
discussion.

So the request, at that time, was to make a smaller list ---
ooo-security -- and to share such sensitive information only on that
list.  Of course, Mentors and other Apache Members can view that list,
as can Apache Security Team members.


I have no doubts that as a TLP the AOO PMC will shed 30%+ of the
current membership.  That would take care of the names of people who
signed up, returned the ICLA but then have not been heard of since.  I
think we can reach the point where matters of some sensitivity can be
shared more broadly on ooo-private.

But you also need to understand that this is not only about trust.  It
is about security.  If if I personally trusted you like a brother, and
trusted every PPMC member like a brother (or sister) it would not make
sense to share all security information with a list of 90 trusted
siblings..  Why?  Because of human error.  Because of stolen iPhones.
Because of accidentally forwarded emails.  Because  of accidentally
typed recipients.Because of 4am's and because shit happens.  It
will never make sense to share such sensitive information more broadly
than needed to deal with the actual security issue.  This is not about
trust.  It is about compartmentalization,  In other words, the
security list is about security.

-Rob

 Regards,
 Dave



 - Dennis

 -Original Message-
 From: Ross Gardler [mailto:rgard...@opendirective.com]
 Sent: Thursday, April 12, 2012 12:41
 To: general@incubator.apache.org; dennis.hamil...@acm.org
 Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
 Update of April2012 by robweir)

 On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security 
 team.  I don't mean slip-streaming fixes and working off the public SVN 
 until that happens.  I mean developing and deploying all the rest of what 
 accompanies an advisory along with provision of a mitigation.


 Whether this is the case or not should be discussed on the ooo-dev
 lists rather than the IPMC general list. This is not an IPMC issue.
 All IPMC members are free to join that list or read its archives if
 they so desire.

 Ross

 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail: general-h...@incubator.apache.org


 -
 To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
 For additional commands, e-mail:

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)

2012-04-12 Thread Dave Fisher


On Apr 12, 2012, at 2:20 PM, Rob Weir wrote:

 On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher dave2w...@comcast.net wrote:
 
 On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:
 
 Yes, this was already raised on the PPMC (on March 22) as you know.  It 
 seems to me that the PPMC is not concerned.
 
 It is interesting that it is thought, here, that the remedy is to add more 
 ooo-security subscribers from the PPMC.  That had not come up before.
 
 Well I did raise it on ooo-private. My suggestion was to add someone who 
 understood Linux distributions to ooo-security ASAP. I got blowback. This  
 was unfortunate. Since then we've had discussions about culture, politeness 
 and apologies. There was some discussion about OpenOffice and Linux distro 
 on ooo-dev, but more in context of the AOO release plans.
 
 My frustration about not being informed was that no one gave even the 
 slightest notice OFFLIST that there was a reason that certain people were 
 asking the project questions and that things were not as I thought and I 
 should move on and let the world revolve. This is particularly true since I 
 responding with what I had every reason to believe was the project policy.
 
 Emotions pass. What's the root cause? It's a communication problem, why was 
 communication blocked?
 
 If there are individuals on a PPMC that the podling security team and 
 Mentors feel are not trustworthy enough that it is decided to forgo the 
 minimal courtesy of keeping the PPMC informed to manage the process as 
 Dennis described then perhaps the problem is with the PPMC membership itself.
 
 Normally a podling will set the PMC as part the graduation resolution. 
 Perhaps the AOO PPMC membership needs to be revised sooner. Any advice?
 
 
 So step back, to when the podling received notice of our first
 security report.  The Apache Security Team would not give it to the
 PPMC, not even on ooo-private.  The issue was not the size of the PPMC
 per se, or even its status as a podling.  The issue was the way in
 which the initial committers were selected, that anyone could just
 walk in off the street in essence, put their name down and be an
 instant PPMC number.  Needless to say, a group of nearly 100 initial
 committers formed that way is not the best way to have a secure
 discussion.
 
 So the request, at that time, was to make a smaller list ---
 ooo-security -- and to share such sensitive information only on that
 list.  Of course, Mentors and other Apache Members can view that list,
 as can Apache Security Team members.
 
 
 I have no doubts that as a TLP the AOO PMC will shed 30%+ of the
 current membership.  That would take care of the names of people who
 signed up, returned the ICLA but then have not been heard of since.  I
 think we can reach the point where matters of some sensitivity can be
 shared more broadly on ooo-private.
 
 But you also need to understand that this is not only about trust.  It
 is about security.  If if I personally trusted you like a brother, and
 trusted every PPMC member like a brother (or sister) it would not make
 sense to share all security information with a list of 90 trusted
 siblings..  Why?  Because of human error.  Because of stolen iPhones.
 Because of accidentally forwarded emails.  Because  of accidentally
 typed recipients.Because of 4am's and because shit happens.  It
 will never make sense to share such sensitive information more broadly
 than needed to deal with the actual security issue.  This is not about
 trust.  It is about compartmentalization,  In other words, the
 security list is about security.

I do understand that security is special. You miss my point.  I'm not talking 
about the actual security issue detail. Just that a security announcement, 
release, whatever is about to happen. As a PPMC member I should be able to ask 
questions in advance about how it is being handled. If nothing to help make 
sure that there is some form of oversight.

I am also talking about more subtly informing someone without disclosing any 
real information. As you said security@ did inform us that there was an issue, 
but not the details.

Regards,
Dave


 
 -Rob
 
 Regards,
 Dave
 
 
 
 - Dennis
 
 -Original Message-
 From: Ross Gardler [mailto:rgard...@opendirective.com]
 Sent: Thursday, April 12, 2012 12:41
 To: general@incubator.apache.org; dennis.hamil...@acm.org
 Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] 
 Update of April2012 by robweir)
 
 On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote:
 I don't think the problem is with the size of the ooo-security list 
 membership.  I think it is in the assumption that the [P]PMC has somehow 
 delegated the ability to make a release of any kind to the ooo-security 
 team.  I don't mean slip-streaming fixes and working off the public SVN 
 until that happens.  I mean developing and deploying all the rest of what 
 accompanies an advisory along with provision of a

Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)