Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Apr 11, 2012, at 10:43 PM, William A. Rowe Jr. wrote: On 4/11/2012 2:36 PM, Jukka Zitting wrote: It should be noted though that even though the /dist/incubator/ooo space was used to distribute these patches, they were and are not officially blessed by the Incubator PMC on behalf of the ASF. Should a similar case arise in the future, I'd prefer if a clearly separate area under /dist or some other place was used to prevent confusing these with official Apache releases. Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that can't happen with an incubating podling. Everything under the space /dist/ must exist under a PMC. And if AOOo ever does on a broad security patch distribution, inflicting that traffic on people.a.o, infra will be taking names and kicking asses. As chair, you should have been brought into this loop, but with the change from Noel I can see how this oversight happened. Sorry about that. It's probably another example why the current infrastructure schema simply isn't plausible. As a member of the IPMC and also the AOO PPMC I was not very happy with the way this was held close ny a few mentors and ooo-security members. I made claims on ooo-dev that we weren't going to patch when others knew perfectly well that we were, It was truly crazy time. I think that certain people erred on the side of not trusting trustworthy people. That is extremely unfortunate. I know that I was made to feel I wasted my precious time due to this secrecy. I think it was wrong. The inner circle failed to properly consider Linux users when many of the PPMC were well within that rank. There were significantly false assumptions about the user base impact that were perpetuated by the secrecy that surrounded this patch, The inner circle that did this felt they had no choice but to exclude the PPMC from their consideration. I know that this damaged my interaction with the project, I still feel very much untrusted. Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way Regards, Dave - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 12 April 2012 06:43, William A. Rowe Jr. wr...@rowe-clan.net wrote: On 4/11/2012 2:36 PM, Jukka Zitting wrote: ... As chair, you should have been brought into this loop, but with the change from Noel I can see how this oversight happened. Sorry about that. It's probably another example why the current infrastructure schema simply isn't plausible. Under normal circumstances I would agree. However, when this was happening it was in the middle of the IPMC blow-up and there was, effectively, no chair. Officially it would have been Noel, who, at the time was in a difficult place. As one of the mentors involved I felt it was not necessary to add to his concerns. In retrospect that may not have been the best decision. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote: ... Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way As one of the inner circle I am not offended. All your points are valid. Thank you for sharing them. This was the first and, in all likelihood the last time such an unusual circumstance will arise. There is no right or wrong way of handling these things. Had we included x then y would have felt excluded, this is what we are seeing here. However, the line must be drawn somewhere. If there is a problem from the project perspective then this should be dealt with in the ooo-dev list. the PPMC has an appointed security team who are empowered to handle these circumstances for the PPMC, if a member of the PPMC does not like the way this was handled then they should petition to become a member of that security team. From an IPMC perspective please note that the decision for in-out was not a matter of trust, it was a matter of minimum necessary oversight to solve the problem in the way the ooo-security, advised by the ASF security team, wanted to do so. The only non-security people involved were myself (as an active mentor and initial contact for the PPMC security team), Shane (due to potential branding impact) and Joe (for infrastructure support). VP legal was also involved via the legal-internal list for obvious reasons. Noone else was *needed* and so noone else was involved. Under normal circumstances IPMC chair would be included, but we effectively had none at this point, officially it was Noel, but Noel was being attacked from all sides at this point and his style of leadership was to have people just get on with it. If Jukka were chair with his active leadership style things might have been different. In retrospect I believe a valid argument for involving all mentors can be made and, if I were involved in such a situation again I would probably want to do so. Having said that, if I saw someone handle it the same way as this situation was handled I would not be objecting. There is no right way. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
Dave Fisher wrote on Wed, Apr 11, 2012 at 23:48:05 -0700: Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way What about expanding the membership of ooo-security@? Currently it has less than 10 subscribers. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote: ... Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way As one of the inner circle I am not offended. All your points are valid. Thank you for sharing them. This was the first and, in all likelihood the last time such an unusual circumstance will arise. There is no right or wrong way of handling these things. Had we included x then y would have felt excluded, this is what we are seeing here. However, the line must be drawn somewhere. Surely at the ASF the line is at PMC membership. If only a subset of the PPMC is trusted enough to be part of some inner circle then the PPMC should be disbanded and reformed from just that inner circle. Equally for the Incubator PMC, if Noel or who ever was chair should have been told then the Incubator PMC should have been included. ...ant - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 09:27, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 08:59, ant elder ant.el...@gmail.com wrote: On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote: ... Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way As one of the inner circle I am not offended. All your points are valid. Thank you for sharing them. This was the first and, in all likelihood the last time such an unusual circumstance will arise. There is no right or wrong way of handling these things. Had we included x then y would have felt excluded, this is what we are seeing here. However, the line must be drawn somewhere. Surely at the ASF the line is at PMC membership. If only a subset of the PPMC is trusted enough to be part of some inner circle then the PPMC should be disbanded and reformed from just that inner circle. This is a podling with a very unusual history. it is not as simple as that. However, your general observation is a valid one. The time for addressing this is during incubation when it becomes possible to determine who is contributing positively to the running of the PPMC. I should also point out that the perception that information was kept to a limited group implies mistrust of PPMC members is *false*. The PPMC have an appointed security team just as many top level PMCs do that team is tasked with handling security issues and it did so in this case. As has been noted, this was *not* an ASF release, only one *facilitated* by the ASF in the interests of supporting legacy users of a project that has come to incubation. It is a very unusual situation to which normal ASF policy does not apply. Handling it outside normal ASF processes does not imply a problem with those processes or the PPMC. Ross Ross, I'm not trying to stick an oar in or anything and i don't know the details of what was done other than whats in this thread here, it just seems odd to me and it seems like there is some acknowledgement that this wasn't done perfectly so we the Incubator PMC should understand what happened. Sure there are other security teams but AFAIK they operate in conjunction with PMCs and keep PMCs in the loop that something is going on just withholding precise details of the vulnerability. ...ant - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6
+1 from me (binding). Karl On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe shinichiro.ab...@gmail.com wrote: Hi, Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6. This RC has passed our podling vote and awaits your inspection. You can download the release candidate from http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC6/ and there is also a tag in svn under https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubating-RC6/. It has done improvements for its distribution(bin,lib,src) and build process as to core dependencies. Thank you, Shinichiro Abe - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6
+1 (binding), Tommaso 2012/4/12 Karl Wright daddy...@gmail.com +1 from me (binding). Karl On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe shinichiro.ab...@gmail.com wrote: Hi, Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6. This RC has passed our podling vote and awaits your inspection. You can download the release candidate from http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC6/ and there is also a tag in svn under https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubating-RC6/ . It has done improvements for its distribution(bin,lib,src) and build process as to core dependencies. Thank you, Shinichiro Abe - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Jena LARQ 1.0.0-incubating
ping We still need one vote here. Anyone willing to take a look at LARQ RC-1? http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/ Thanks, Paolo Paolo Castagna wrote: Thank you Leo, thank you Benson. We still need one vote, I think... Cheers, Paolo Leo Simons wrote: On Sun, Apr 1, 2012 at 9:48 PM, Paolo Castagna castagna.li...@googlemail.com wrote: here is a vote on a release for Apache Jena LARQ module: jena-larq-1.0.0-incubating. ... Proposed files and structure to merge with existing dist/ area: http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/ +1 cheers, Leo - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
Hi, On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that can't happen with an incubating podling. Everything under the space /dist/ must exist under a PMC. I totally agree for proper releases (with a source archive) blessed by the PMC (on private@ if needed). However, this was neither, so I find using the same location a bit troublesome. Anyway, it sounds like the case was handled reasonably well under some fairly challenging constraints, so I'm not too worried about details like this as long as this remains a one-off special case. I only wanted to bring this up to make sure this doesn't become a standard procedure without a broader discussion of how cases like this should be handled. BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] CloudStack for Apache Incubator
Hi, On Tue, Apr 10, 2012 at 3:32 AM, Kevin Kluge kevin.kl...@citrix.com wrote: I'd like to call for a VOTE for CloudStack to enter the Incubator. +1: accept CloudStack into Incubator PS. Unless you've already done so, please get in touch with the ASF infra team as soon as possible on the various infrastructure topics mentioned. Experience from other complex podlings suggests that the infrastructure migration may take months and be somewhat painful unless properly planned and managed. BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 9:07 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: Hi, On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that can't happen with an incubating podling. Everything under the space /dist/ must exist under a PMC. I totally agree for proper releases (with a source archive) blessed by the PMC (on private@ if needed). However, this was neither, so I find using the same location a bit troublesome. Anyway, it sounds like the case was handled reasonably well under some fairly challenging constraints, so I'm not too worried about details like this as long as this remains a one-off special case. I only wanted to bring this up to make sure this doesn't become a standard procedure without a broader discussion of how cases like this should be handled. If there is anything worth additional consideration, it would be how to handle large incubation projects, where the time to initial Apache release is long enough that there is a possibility or even likelihood of needing to release a security patch for a legacy version of the product. In some cases the original sponsors of the project are still around and can continue to do this kind of maintenance. In other cases, as with OpenOffice, this is not true. I'd recommend that future podlings, and the IPMC, consider this aspect when reviewing new podling applications. It should probably be treated explicitly in the wiki proposal for podlings that expect to take more than 3 or 4 months to get to their first release. Regards, -Rob BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 12 April 2012 15:05, Rob Weir robw...@apache.org wrote: I'd recommend that future podlings, and the IPMC, consider this aspect when reviewing new podling applications. It should probably be treated explicitly in the wiki proposal for podlings that expect to take more than 3 or 4 months to get to their first release. This makes a great deal of sense. It will not prevent the problem occurring but it will minimise the surprises if a similar situation were to arrive. That being said I'm not sure what would have been written in the AOO proposal back in July. But at least we would have identified the likelihood that the ASF would need to distribute or the project would need to find a distribution channel and thus pre-warned of a potential situation arising. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Jena LARQ 1.0.0-incubating
On 04/12/2012 07:33 AM, Paolo Castagna wrote: ping We still need one vote here. Anyone willing to take a look at LARQ RC-1? http://people.apache.org/~castagna/merge-jena-larq-1.0.0-RC-1/ Thanks, Paolo +1 binding - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
/me wondering if any of this feedback ever got channeled back to security@? (or was it only on @incubator lists) Jukka Zitting wrote on Thu, Apr 12, 2012 at 15:07:56 +0200: Hi, On Thu, Apr 12, 2012 at 7:43 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: Short of people.a.o/~luser/my-patch.tgz, I'm fairly certain that can't happen with an incubating podling. Everything under the space /dist/ must exist under a PMC. I totally agree for proper releases (with a source archive) blessed by the PMC (on private@ if needed). However, this was neither, so I find using the same location a bit troublesome. Anyway, it sounds like the case was handled reasonably well under some fairly challenging constraints, so I'm not too worried about details like this as long as this remains a one-off special case. I only wanted to bring this up to make sure this doesn't become a standard procedure without a broader discussion of how cases like this should be handled. BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Giraph status (Was: [Incubator Wiki] Update of April2012 by OwenOmalley)
Hi, On Thu, Apr 12, 2012 at 6:44 AM, Owen O'Malley omal...@apache.org wrote: On Wed, Apr 11, 2012 at 4:30 PM, Jukka Zitting jukka.zitt...@gmail.com wrote: Looking at the report and recent project activity it looks like Giraph is doing pretty well. In fact I can't spot any obvious graduation blockers. Anything I'm missing? If not, have you already started preparing for graduation? We haven't started yet, but I was thinking along similar lines. OK, cool. Should I start a vote on the dev list? Probably best to start with a discuss thread for the community and then move through the process as described in [1] if the consensus is that the community is ready to graduate. [1] http://incubator.apache.org/guides/graduation.html BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that accompanied it. I assume that ooo-security acquitted itself well in that regard as well as with the coordination with other parties, including ones external to Apache, having common concerns. The breakdown was in all of the non-security considerations and assumptions, even though they needed to be developed in confidence. The PPMC would have provided a proper arena for working that out. The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination and form of patch releases/updates. Those with valuable perspective on the deployment strategy and its support might have no sense of the technical work that ooo-security members undertake. There was nothing about this particular vulnerability that made it dangerous for the PPMC to know about it and the approach being taken to release an ASF-appropriate patch. The exploit is by crafting an ODF 1.2 document and all unpatched OO.o 3.x (and LibreOffice 3.x) installations remain vulnerable. I think it is safe to presume that there are, at this moment, significantly more unpatched installations than patched ones and I see that as a greater concern, if there is any, than consultation and review by the PPMC before the public advisory and patch release. A significant number of people external to the PPMC, including non-experts and those who may see themselves as competitors, knew about this prior to the announcement and there does not appear to have been any damage. - Dennis PS: I followed the public back-and-forth about the operation of security lists and venues for security coordination that Dave Fisher feels embarrassed about. I don't think it matters. Whether there was a way for the Apache OpenOffice project to issue repairs to OpenOffice.org distributions, or not, did not seem to be a significant feature of the dispute as I followed it. Indeed, knowledge of the possibility of an ASF patch was not a fact that could be used as a counter-point. Announcement of the particular vulnerability that was going to be dealt with by ASF in that manner was still under embargo. It remains a valid point that those who can't wait for a stable Apache OpenOffice release to satisfy their security concerns, especially on Linux where there is still no Apache patch, might want to look to other distributions whose current releases have that and other vulnerabilities repaired. It all depends. -Original Message- From: ant elder [mailto:ant.el...@gmail.com] Sent: Thursday, April 12, 2012 02:04 To: general@incubator.apache.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 09:27, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 08:59, ant elder ant.el...@gmail.com wrote: On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote: [ ... ] Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way [ ... ] Surely at the ASF the line is at PMC membership. If only a subset of the PPMC is trusted enough to be part of some inner circle then the PPMC should be disbanded and reformed from just that inner circle. This is a podling with a very unusual history. it is not as simple as that. However, your general observation is a valid one. The time for addressing this is during incubation when it becomes possible to determine who is contributing positively to the running of the PPMC. I should also point out that the perception that information was kept to a limited group implies mistrust of PPMC members is *false*. The PPMC have an appointed security team just as many top level PMCs do that team is tasked with handling security issues and it did so in this case. As has been noted, this was *not* an ASF release, only one *facilitated* by the ASF in the interests of supporting legacy users of a project that has come to incubation. It is a very unusual situation to which normal ASF policy does not apply. Handling it outside normal ASF processes does not imply a problem with those processes or the PPMC. Ross Ross, I'm not trying to stick an oar in or anything and i don't know the details of what was done other than whats in this thread here, it just seems odd
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that accompanied it. I assume that ooo-security acquitted itself well in that regard as well as with the coordination with other parties, including ones external to Apache, having common concerns. The breakdown was in all of the non-security considerations and assumptions, even though they needed to be developed in confidence. The PPMC would have provided a proper arena for working that out. The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination and form of patch releases/updates. Those with valuable perspective on the deployment strategy and its support might have no sense of the technical work that ooo-security members undertake. Dennis, if the PPMC wishes to make any changes to the patch, or the documentation, or the announcement, or the website related this patch, they have had that ability for nearly a month now. But no one, including yourself, has offered one change. A lot of criticism, certainly, but no patches. The actions (or inaction) of the PPMC since this patch was announced proves the point. It was good enough, and no one -- including you -- has ventured to raise a finger to improve any of the patch materials. -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Kitty status (Was: [Incubator Wiki] Update of April2012 by AlessandroNovarini)
Hi, Thanks for the report, Kitty! On Thu, Apr 5, 2012 at 6:10 PM, Apache Wiki wikidi...@apache.org wrote: + In order to get graduated, Kitty needs the following features: + 1) The ability to save profiles of commonly connected to jmx servers including groups of tomcat servers + 2) The ability to collect metrics on an aggregate group of JMX servers Note that neither of these is a graduation issue from the Incubator perspective. What we're interested in is whether the community is diverse and active, whether any IP issues have been cleared, and whether the community follows the Apache way and our policies. + The community hasn't grown since the last report. Do you have plans on how to grow the community, or are you happy with the status quo? After 1.5 years in incubation I'd love to see Kitty having a clear plan towards graduation. Could you come up with something like that for your next report? How active and diverse is the current community? From your report it sounds like more project activity is needed. BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 4/12/2012 2:59 AM, ant elder wrote: On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler rgard...@opendirective.com wrote: On 12 April 2012 07:48, Dave Fisher dave2w...@comcast.net wrote: ... Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way Don't, these concerns can and should be aired. Any deviation from the usual ASF practices should be defended (and defensible) or they should be discarded. I don't think you are wrong to be disturbed by the process, but I do expect most of the AOOo PPMC will find what actually transpired was reasonable, under the circumstances, after you _all_ discuss it in postmortem evaluation. That's dev@ list business. As one of the inner circle I am not offended. All your points are valid. Thank you for sharing them. This was the first and, in all likelihood the last time such an unusual circumstance will arise. There is no right or wrong way of handling these things. Had we included x then y would have felt excluded, this is what we are seeing here. However, the line must be drawn somewhere. Surely at the ASF the line is at PMC membership. If only a subset of the PPMC is trusted enough to be part of some inner circle then the PPMC should be disbanded and reformed from just that inner circle. Equally for the Incubator PMC, if Noel or who ever was chair should have been told then the Incubator PMC should have been included. I'll refer to httpd, since it has the longest track record of security incident handling. There is about 1/4 of the httpd PMC who choose to be active as part of the security list. That group will go to the effort to respond to reports, test reported defects, write patches, test patches and help get the trunk or branch into some state that we can have a release. If the incident is (or becomes) publicly known, the security@ list wipes their hands of it, this mechanism is only used for embargoed issues. There is sometimes a parallel discussion on security@ when a publicly discussed flaw or patch has undisclosed security implications, but that's pretty rare. Well over half of the httpd PMC doesn't participate a whole lot in the first place, including voting on release candidates, so expanding the knowledge of undisclosed vulnerabilities to that group makes zero sense. As a PMC member, any of them would be welcome to join the security team, just as any can leave it if they don't have time or interest to follow the security space. I don't think we can compare the current AOOo situation; the PMC here is effectively the IPMC, the only group of people with binding votes. 95% of that PMC should not have had advance knowledge of the specifics of these defects, because 95% have little to do with AOOo on a daily basis. The people who would do the testing/verification/patch authoring and further testing and verification needed to be on that list, but of course are not binding PMC members [yet]. And of course there are even meta security lists of lists in this case, owing to multiple projects which are based on the common source code and subject to the same or very similar defect exposures. So the AOOo has assembled a hybrid model of some mentors and some of those committed developers. Certainly the project is going to refine policy going forwards. If I could do it over at httpd, I'd suggest anyone who has not participated in the resolution of the past 'X' defects would be booted from that security team. [Gently nudged off might be more diplomatic.] Perhaps some combination of incidents and period of time. security@ participation is not some privilege, it's added responsibility to the PMC and project by each of its subscribers. But the point is that simply for issues of email transport compromise, the people subscribed to that list need to pay extra attention to strictly using ssl transport rather than plain text over public and private networks, and that list needs to be broadcast to those people who will act on those security emails, and to absolutely nobody else. AOOo will continue to refine its practices in security@ handling, and I'd trust them to make balanced and measured compromises from what I've observed so far in my role on the ASF Security Team. Upon becoming a TLP it will be much easier to balance karma, authority and responsibility for security fixes, and these will come much more organically from a then-shipping ASF package which already had been released by the whole of the PMC. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
@Rob, In fact, I posted to ooo-dev and ooo-users information on the significance of the vulnerability and ways to mitigate it. I was unsuccessful in posting instructions, after several failed attempts, for applying the patch on Windows XP where the dialogs are different and have different consequences than described in the Windows-patch PDF, which gives instructions for Windows 7. (This has to do with an over-zealous spam filter on our lists and I could not get around it.) I have however put what I could on the Media Wiki as the basis for a possible FAQ, using http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037). I can't do anything about the fact that the need for a Linux patch has not been resolved. I can't do anything about the fact that the patch requires the confidence and experience of a power user to apply on any platform. I understand why that is; I can't do anything about it myself beyond attempt to provide supporting information and supplementary instructions. And I, am, of course, a volunteer here. I also don't see what that has to do with the relationship between the PPMC and ooo-security. That's about getting many eyes, not about where orcmid might exercise his heroic super powers. - Dennis -Original Message- From: Rob Weir [mailto:robw...@apache.org] Sent: Thursday, April 12, 2012 09:46 To: general@incubator.apache.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that accompanied it. I assume that ooo-security acquitted itself well in that regard as well as with the coordination with other parties, including ones external to Apache, having common concerns. The breakdown was in all of the non-security considerations and assumptions, even though they needed to be developed in confidence. The PPMC would have provided a proper arena for working that out. The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination and form of patch releases/updates. Those with valuable perspective on the deployment strategy and its support might have no sense of the technical work that ooo-security members undertake. Dennis, if the PPMC wishes to make any changes to the patch, or the documentation, or the announcement, or the website related this patch, they have had that ability for nearly a month now. But no one, including yourself, has offered one change. A lot of criticism, certainly, but no patches. The actions (or inaction) of the PPMC since this patch was announced proves the point. It was good enough, and no one -- including you -- has ventured to raise a finger to improve any of the patch materials. -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 2:54 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: @Rob, In fact, I posted to ooo-dev and ooo-users information on the significance of the vulnerability and ways to mitigate it. Yes, after the official security bulletin went out to those same lists. Thanks. I was unsuccessful in posting instructions, after several failed attempts, for applying the patch on Windows XP where the dialogs are different and have different consequences than described in the Windows-patch PDF, which gives instructions for Windows 7. (This has to do with an over-zealous spam filter on our lists and I could not get around it.) I have however put what I could on the Media Wiki as the basis for a possible FAQ, using http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037). The security bulletin is in SVN. You can use the CMS or check in the fix directly. Or post to BZ as a patch. There is no need for a spam filter on the lists to get in your way. I can't do anything about the fact that the need for a Linux patch has not been resolved. I can't do anything about the fact that the patch requires the confidence and experience of a power user to apply on any platform. I understand why that is; I can't do anything about it myself beyond attempt to provide supporting information and supplementary instructions. There are others in the PPMC who could do these things if they thought it was important to do so. In fact, the definition of important is pretty much synonymous with it gets someone to take action. And I, am, of course, a volunteer here. I also don't see what that has to do with the relationship between the PPMC and ooo-security. That's about getting many eyes, not about where orcmid might exercise his heroic super powers. But I hope you see my point. If neither you nor anyone else on the PPMC has thought it important to address these issues in the month since the patch has been public, then I do not think that the same PPMC members would have addressed these concerns if the security team gave them a heads up a day or two earlier. Or a week earlier. Evidently even a month is not even enough. -Rob - Dennis -Original Message- From: Rob Weir [mailto:robw...@apache.org] Sent: Thursday, April 12, 2012 09:46 To: general@incubator.apache.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit that accompanied it. I assume that ooo-security acquitted itself well in that regard as well as with the coordination with other parties, including ones external to Apache, having common concerns. The breakdown was in all of the non-security considerations and assumptions, even though they needed to be developed in confidence. The PPMC would have provided a proper arena for working that out. The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination and form of patch releases/updates. Those with valuable perspective on the deployment strategy and its support might have no sense of the technical work that ooo-security members undertake. Dennis, if the PPMC wishes to make any changes to the patch, or the documentation, or the announcement, or the website related this patch, they have had that ability for nearly a month now. But no one, including yourself, has offered one change. A lot of criticism, certainly, but no patches. The actions (or inaction) of the PPMC since this patch was announced proves the point. It was good enough, and no one -- including you -- has ventured to raise a finger to improve any of the patch materials. -Rob - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
Hi, On Thu, Apr 12, 2012 at 8:37 PM, William A. Rowe Jr. wr...@rowe-clan.net wrote: - at least the IPMC chair should be involved, if not the whole IPMC That can be remedied today. Jukka, if you like, please join the ASF wide security team, at minimum as an observer. Thanks, but I'd rather not have to worry about securing my inbox against hackers looking for zero-day exploits. :-/ Personally I'm fine with after-the-fact oversight like now with the OpenOffice report. I think we can trust the security team and other involved people to make decisions without active interference or real-time observation. If it turns out that in retrospect some things could have been handled better, we can handle that with feedback from threads like this one. If there are cases where more active oversight or feedback is desired (for example if there's a hint that a broader range of projects is affected by an issue, or there's some complex licensing issue regarding a newly incubated project), I'd rather have the security team explicitly reach out and ask for more involvement from us in specific cases. BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 4/12/2012 2:37 AM, Daniel Shahaf wrote: Dave Fisher wrote on Wed, Apr 11, 2012 at 23:48:05 -0700: Sorry, I can't remain mute, but I offended anyone, sorry, but this was wrongly done. I don't know a better way What about expanding the membership of ooo-security@? Currently it has less than 10 subscribers. That's ideal for a start. The security team needs to escalate actual releases to the private@ pmc list, if not the dev@ list at some point. Joining the security@ list isn't the answer to missing communications to private@. That said, does it have the right ~10 subscribers? Are more appropriate? It seems that about 1/3 of the httpd PMC are on httds's list, while most every tomcat PMC member is on tomcat's list. The global ASF security team list is actually smaller than either, and a handful of these are likely to be ASF officers rather than specific committee members. [Note that the ASF wide list is a firehose of spam, it's not a pleasant place to hang out.] So if ooo-security grows to 20 that shouldn't be surprising at all, but it should be deliberate and measured based on specific contributions to finding or fixing specific security defects, over a number of years. It's another list where merit can be helpful in helping it grow over time. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
Yes, this was already raised on the PPMC (on March 22) as you know. It seems to me that the PPMC is not concerned. It is interesting that it is thought, here, that the remedy is to add more ooo-security subscribers from the PPMC. That had not come up before. - Dennis -Original Message- From: Ross Gardler [mailto:rgard...@opendirective.com] Sent: Thursday, April 12, 2012 12:41 To: general@incubator.apache.org; dennis.hamil...@acm.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. Whether this is the case or not should be discussed on the ooo-dev lists rather than the IPMC general list. This is not an IPMC issue. All IPMC members are free to join that list or read its archives if they so desire. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Any23 status (Was: [Incubator Wiki] Trivial Update of April2012 by LewisJohnMcgibbney)
Hi Jukka, On Tue, Apr 10, 2012 at 10:46 PM, Jukka Zitting jukka.zitt...@gmail.comwrote: Hi, Thanks for the report, Any23! No hassle, thank you for taking the time to criticize the report we are working to make Any23 a more appealing project and the more we can do to make reporting clearer, more accurate and helpful for you guys the better. On Mon, Apr 2, 2012 at 2:24 PM, Apache Wiki wikidi...@apache.org wrote: + Anything To Triples (any23) is a library, a web service and a command line tool that extracts + structured data in RDF format from a variety of Web documents. [...] This should be sufficient as the project description in the context of a board report. The list of supported formats, while interesting, is less relevant in this context. +1. Noted and will be acted on in next reporting slot. Please also include a note of when Any23 entered incubation. I took the liberty of adding that information to your report. Thank you Sounds like good progress! Yes generally speaking, from a community POV the project is moving in the right direction, for the time being we're witnessing a steady increase in traction and really lookin forward to VOTE'ing on 0.7.0-incubating release. In future reports it would be good if you included the list of most important issues to solve before graduation. Your January report listed the following: +1 this will also be addressed in next report. 2. Develop a strong community with organizational diversity and with strong connections to other relevant ASF communities. Based on your current report it sounds like 1 is already solved and 3 will be done shortly. What's your status on 2? My own opinion on this is that this will really kick in once we get the aforementioned RC and subsequent release sorted. The future is bright for Any23 as we've witnessed a gradual increase in semantic web type projects entering incubation @ASF, and therefore the path to closer integration with these projects in certainly on the road map. It is something that I certainly look forward to. OK I think this is all from me just now. Thanks again for your comments. Lewis
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: Yes, this was already raised on the PPMC (on March 22) as you know. It seems to me that the PPMC is not concerned. It is interesting that it is thought, here, that the remedy is to add more ooo-security subscribers from the PPMC. That had not come up before. Well I did raise it on ooo-private. My suggestion was to add someone who understood Linux distributions to ooo-security ASAP. I got blowback. This was unfortunate. Since then we've had discussions about culture, politeness and apologies. There was some discussion about OpenOffice and Linux distro on ooo-dev, but more in context of the AOO release plans. My frustration about not being informed was that no one gave even the slightest notice OFFLIST that there was a reason that certain people were asking the project questions and that things were not as I thought and I should move on and let the world revolve. This is particularly true since I responding with what I had every reason to believe was the project policy. Emotions pass. What's the root cause? It's a communication problem, why was communication blocked? If there are individuals on a PPMC that the podling security team and Mentors feel are not trustworthy enough that it is decided to forgo the minimal courtesy of keeping the PPMC informed to manage the process as Dennis described then perhaps the problem is with the PPMC membership itself. Normally a podling will set the PMC as part the graduation resolution. Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? Regards, Dave - Dennis -Original Message- From: Ross Gardler [mailto:rgard...@opendirective.com] Sent: Thursday, April 12, 2012 12:41 To: general@incubator.apache.org; dennis.hamil...@acm.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. Whether this is the case or not should be discussed on the ooo-dev lists rather than the IPMC general list. This is not an IPMC issue. All IPMC members are free to join that list or read its archives if they so desire. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher dave2w...@comcast.net wrote: On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: Yes, this was already raised on the PPMC (on March 22) as you know. It seems to me that the PPMC is not concerned. It is interesting that it is thought, here, that the remedy is to add more ooo-security subscribers from the PPMC. That had not come up before. Well I did raise it on ooo-private. My suggestion was to add someone who understood Linux distributions to ooo-security ASAP. I got blowback. This was unfortunate. Since then we've had discussions about culture, politeness and apologies. There was some discussion about OpenOffice and Linux distro on ooo-dev, but more in context of the AOO release plans. My frustration about not being informed was that no one gave even the slightest notice OFFLIST that there was a reason that certain people were asking the project questions and that things were not as I thought and I should move on and let the world revolve. This is particularly true since I responding with what I had every reason to believe was the project policy. Emotions pass. What's the root cause? It's a communication problem, why was communication blocked? If there are individuals on a PPMC that the podling security team and Mentors feel are not trustworthy enough that it is decided to forgo the minimal courtesy of keeping the PPMC informed to manage the process as Dennis described then perhaps the problem is with the PPMC membership itself. Normally a podling will set the PMC as part the graduation resolution. Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? So step back, to when the podling received notice of our first security report. The Apache Security Team would not give it to the PPMC, not even on ooo-private. The issue was not the size of the PPMC per se, or even its status as a podling. The issue was the way in which the initial committers were selected, that anyone could just walk in off the street in essence, put their name down and be an instant PPMC number. Needless to say, a group of nearly 100 initial committers formed that way is not the best way to have a secure discussion. So the request, at that time, was to make a smaller list --- ooo-security -- and to share such sensitive information only on that list. Of course, Mentors and other Apache Members can view that list, as can Apache Security Team members. I have no doubts that as a TLP the AOO PMC will shed 30%+ of the current membership. That would take care of the names of people who signed up, returned the ICLA but then have not been heard of since. I think we can reach the point where matters of some sensitivity can be shared more broadly on ooo-private. But you also need to understand that this is not only about trust. It is about security. If if I personally trusted you like a brother, and trusted every PPMC member like a brother (or sister) it would not make sense to share all security information with a list of 90 trusted siblings.. Why? Because of human error. Because of stolen iPhones. Because of accidentally forwarded emails. Because of accidentally typed recipients.Because of 4am's and because shit happens. It will never make sense to share such sensitive information more broadly than needed to deal with the actual security issue. This is not about trust. It is about compartmentalization, In other words, the security list is about security. -Rob Regards, Dave - Dennis -Original Message- From: Ross Gardler [mailto:rgard...@opendirective.com] Sent: Thursday, April 12, 2012 12:41 To: general@incubator.apache.org; dennis.hamil...@acm.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a mitigation. Whether this is the case or not should be discussed on the ooo-dev lists rather than the IPMC general list. This is not an IPMC issue. All IPMC members are free to join that list or read its archives if they so desire. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail:
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On Apr 12, 2012, at 2:20 PM, Rob Weir wrote: On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher dave2w...@comcast.net wrote: On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: Yes, this was already raised on the PPMC (on March 22) as you know. It seems to me that the PPMC is not concerned. It is interesting that it is thought, here, that the remedy is to add more ooo-security subscribers from the PPMC. That had not come up before. Well I did raise it on ooo-private. My suggestion was to add someone who understood Linux distributions to ooo-security ASAP. I got blowback. This was unfortunate. Since then we've had discussions about culture, politeness and apologies. There was some discussion about OpenOffice and Linux distro on ooo-dev, but more in context of the AOO release plans. My frustration about not being informed was that no one gave even the slightest notice OFFLIST that there was a reason that certain people were asking the project questions and that things were not as I thought and I should move on and let the world revolve. This is particularly true since I responding with what I had every reason to believe was the project policy. Emotions pass. What's the root cause? It's a communication problem, why was communication blocked? If there are individuals on a PPMC that the podling security team and Mentors feel are not trustworthy enough that it is decided to forgo the minimal courtesy of keeping the PPMC informed to manage the process as Dennis described then perhaps the problem is with the PPMC membership itself. Normally a podling will set the PMC as part the graduation resolution. Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? So step back, to when the podling received notice of our first security report. The Apache Security Team would not give it to the PPMC, not even on ooo-private. The issue was not the size of the PPMC per se, or even its status as a podling. The issue was the way in which the initial committers were selected, that anyone could just walk in off the street in essence, put their name down and be an instant PPMC number. Needless to say, a group of nearly 100 initial committers formed that way is not the best way to have a secure discussion. So the request, at that time, was to make a smaller list --- ooo-security -- and to share such sensitive information only on that list. Of course, Mentors and other Apache Members can view that list, as can Apache Security Team members. I have no doubts that as a TLP the AOO PMC will shed 30%+ of the current membership. That would take care of the names of people who signed up, returned the ICLA but then have not been heard of since. I think we can reach the point where matters of some sensitivity can be shared more broadly on ooo-private. But you also need to understand that this is not only about trust. It is about security. If if I personally trusted you like a brother, and trusted every PPMC member like a brother (or sister) it would not make sense to share all security information with a list of 90 trusted siblings.. Why? Because of human error. Because of stolen iPhones. Because of accidentally forwarded emails. Because of accidentally typed recipients.Because of 4am's and because shit happens. It will never make sense to share such sensitive information more broadly than needed to deal with the actual security issue. This is not about trust. It is about compartmentalization, In other words, the security list is about security. I do understand that security is special. You miss my point. I'm not talking about the actual security issue detail. Just that a security announcement, release, whatever is about to happen. As a PPMC member I should be able to ask questions in advance about how it is being handled. If nothing to help make sure that there is some form of oversight. I am also talking about more subtly informing someone without disclosing any real information. As you said security@ did inform us that there was an issue, but not the details. Regards, Dave -Rob Regards, Dave - Dennis -Original Message- From: Ross Gardler [mailto:rgard...@opendirective.com] Sent: Thursday, April 12, 2012 12:41 To: general@incubator.apache.org; dennis.hamil...@acm.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir) On 12 April 2012 17:32, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't think the problem is with the size of the ooo-security list membership. I think it is in the assumption that the [P]PMC has somehow delegated the ability to make a release of any kind to the ooo-security team. I don't mean slip-streaming fixes and working off the public SVN until that happens. I mean developing and deploying all the rest of what accompanies an advisory along with provision of a
Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of April2012 by robweir)
On 12 April 2012 22:20, Rob Weir robw...@apache.org wrote: On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher dave2w...@comcast.net wrote: ... Normally a podling will set the PMC as part the graduation resolution. Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? ... I have no doubts that as a TLP the AOO PMC will shed 30%+ of the current membership. That would take care of the names of people who signed up, returned the ICLA but then have not been heard of since. I think we can reach the point where matters of some sensitivity can be shared more broadly on ooo-private. I agree, you saved me some time in my reply. Any culling of the PPMC should, IMHO as a mentor, be done in the same way we would for any other project. That is those who have not participated in the community will not form a part of the PMC. It is possible that we will start this process a little early with the AOO project since it is so large. However, at least for me, the idea of doing this before the project has a release to work on seems strange. I am strongly -1 against doing it because of a misunderstanding about why some people feel excluded from the handling of this security issue. As Rob puts it... This is not about trust. It is about compartmentalization, In other words, the security list is about security. This is really important yet seems to be repeatedly missed. I've said many times both here and on AOO lists - nobody was explicitly *excluded* because of a lack of trust. Some people were explicitly *included* because their input was needed. I've enumerated that list of participants in this very thread as well as in others elsewhere. I invite the IPMC to consider whether we excluded the board members who are also AOO mentors because we didn't trust them? Of course not and the same goes for everyone else who we chose not to include. I will note that I, as a mentor, felt safe in the knowledge that those not included in my communications about this issue were cable of exercising their right to monitor the ooo-security list or the legal-internal list. If they were monitoring either list then they knew about our actions.My understanding is that Dave, as a mentor and representative of the IPMC, has chosen not to monitor those lists and therefore feels excluded . I would argue that there is a world of difference between those in the know choosing who in the IPMC and the broader ASF to explicitly include (which is what we did) compared to choosing who to exclude (which we did not do). I will note that the same argument cannot be made for PPMC members who feel excluded. It is good to note that Rob has, presumably as a result of this thread, proposed a few new members of the ooo-security list. Any PPMC member feeling they are left out should ask for consideration on the ooo lists, this is not a matter for the IPMC to resolve. Ross - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6
On 4/12/12 3:35 PM, Karl Wright daddy...@gmail.com wrote: I should also mention that Jukka voted +1 during the community voting on this RC, so his vote should be binding here as well. For future reference, it is a best practice to include a link to the PPMC VOTE thread [1]. It has also been suggested that the RM include in the IPMC VOTE thread any IPMC members who have voted +1 on the PPMC VOTE thread. [1] : http://incubator.apache.org/guides/releasemanagement.html#best-practice-inc ubator-release-vote Karl On Thu, Apr 12, 2012 at 5:45 AM, Tommaso Teofili tommaso.teof...@gmail.com wrote: +1 (binding), Tommaso 2012/4/12 Karl Wright daddy...@gmail.com +1 from me (binding). Karl On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe shinichiro.ab...@gmail.com wrote: Hi, Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6. This RC has passed our podling vote and awaits your inspection. You can download the release candidate from http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC 6/ and there is also a tag in svn under https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubati ng-RC6/ . It has done improvements for its distribution(bin,lib,src) and build process as to core dependencies. Thank you, Shinichiro Abe - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release ManifoldCF 0.5-incubating, RC6
caofyjnysuhk+g0rcppq2r4hbndo2hf6lxpo8xz12gg9rzh1...@mail.gmail.com Karl On Thu, Apr 12, 2012 at 8:43 PM, Franklin, Matthew B. mfrank...@mitre.org wrote: On 4/12/12 3:35 PM, Karl Wright daddy...@gmail.com wrote: I should also mention that Jukka voted +1 during the community voting on this RC, so his vote should be binding here as well. For future reference, it is a best practice to include a link to the PPMC VOTE thread [1]. It has also been suggested that the RM include in the IPMC VOTE thread any IPMC members who have voted +1 on the PPMC VOTE thread. [1] : http://incubator.apache.org/guides/releasemanagement.html#best-practice-inc ubator-release-vote Karl On Thu, Apr 12, 2012 at 5:45 AM, Tommaso Teofili tommaso.teof...@gmail.com wrote: +1 (binding), Tommaso 2012/4/12 Karl Wright daddy...@gmail.com +1 from me (binding). Karl On Wed, Apr 11, 2012 at 11:16 PM, Shinichiro Abe shinichiro.ab...@gmail.com wrote: Hi, Please vote on whether or not to release ManifoldCF 0.5-incubating, RC6. This RC has passed our podling vote and awaits your inspection. You can download the release candidate from http://people.apache.org/~shinichiro/apache-manifoldcf-0.5-incubating-RC 6/ and there is also a tag in svn under https://svn.apache.org/repos/asf/incubator/lcf/tags/release-0.5-incubati ng-RC6/ . It has done improvements for its distribution(bin,lib,src) and build process as to core dependencies. Thank you, Shinichiro Abe - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org