Hi

On 2007-01-07, at 04:34 , sophie wrote:

Hi all,

I'm ccing the Community Council list too because I think it's a very important question to be discussed.

There have been a security alert related largely by the press these last days. I for myself have learned it simultaneously by Simon's mail on discuss@ list and by the Monde Informatique (French press). Joost has answered this mail giving the link to the patch and the md5sums. Reading more, I've find a mail on release@ list from Martin explaining how to install it on 1.1.5.

If I go on the website, I can't find any information about this security patch: if it's already in 2.1 or not, or how to install it under the 1.1.5 version. Users who want informations need to dig in the mailing lists and IZ to find the relevant informations.

My question is : could we put a communication flow in place about those security alerts, make this communication transparent and usefull for our users and the press, and at the end show that we are concerned. Several reactions on the French list have pointed a wrong decision to not communicate about the security, where we simply took no decision at all.

+1. I had the same reaction as you and was disturbed when the press article came out, esp. as it seemed a lot more sensationalist than merited. I drafted a blog entry to discuss this--that it was merely a 1.1.5 event--but have not published it yet.

I'd suggest that when a security issue is communicable (eg, basically resolved or in the process) that security-team work with pr@ or at the *least* send a direct note to John McC and me (both) to get things rolling, and that pr@ be the place for subsequent work on the PR or announcement.

Thus, the official flow:

* security work is being done; security-team is presumably aware of this or if not is notified * when resolution is imminent, pr@ is notified. If not pr@, then at least John and me * pr is written, translated, and published within a few days of resolution of event; mention is on the OOo homepage and on other project pages.

Meanwhile, one can use blogs to strategic effect, esp., GullFOSS and Malte's in particular.


Kind regards
Sophie

Thanks
louis


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to