Hi
On 2007-01-07, at 04:34 , sophie wrote:
Hi all,
I'm ccing the Community Council list too because I think it's a
very important question to be discussed.
There have been a security alert related largely by the press these
last days. I for myself have learned it simultaneously by Simon's
mail on discuss@ list and by the Monde Informatique (French press).
Joost has answered this mail giving the link to the patch and the
md5sums. Reading more, I've find a mail on release@ list from
Martin explaining how to install it on 1.1.5.
If I go on the website, I can't find any information about this
security patch: if it's already in 2.1 or not, or how to install it
under the 1.1.5 version. Users who want informations need to dig in
the mailing lists and IZ to find the relevant informations.
My question is : could we put a communication flow in place about
those security alerts, make this communication transparent and
usefull for our users and the press, and at the end show that we
are concerned. Several reactions on the French list have pointed a
wrong decision to not communicate about the security, where we
simply took no decision at all.
+1. I had the same reaction as you and was disturbed when the press
article came out, esp. as it seemed a lot more sensationalist than
merited. I drafted a blog entry to discuss this--that it was merely a
1.1.5 event--but have not published it yet.
I'd suggest that when a security issue is communicable (eg, basically
resolved or in the process) that security-team work with pr@ or at
the *least* send a direct note to John McC and me (both) to get
things rolling, and that pr@ be the place for subsequent work on the
PR or announcement.
Thus, the official flow:
* security work is being done; security-team is presumably aware of
this or if not is notified
* when resolution is imminent, pr@ is notified. If not pr@, then at
least John and me
* pr is written, translated, and published within a few days of
resolution of event; mention is on the OOo homepage and on other
project pages.
Meanwhile, one can use blogs to strategic effect, esp., GullFOSS and
Malte's in particular.
Kind regards
Sophie
Thanks
louis
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]