Hi Mike,
On Wed, 2014-03-05 at 11:44 +0000, Mike Hall wrote:
> I'm not sure whether this is the right list, but it will do for a start.
>
> I would like to understand what process is in place for handling
> security issues.
The issue should be reported to [email protected] this should be
an alias that is easy to find:
http://lmgtfy.com/?q=libreoffice+security
However it already has been: read on ...
> The question has arisen because of bug 51819, a serious
> security issue which was reported more than 18 months ago.
You believe this is a serious security issue; it is not my view, nor is
a view I noticed inside the (private) security team list - where this
issue was pointed out many moons ago. Furthermore, there has been some
rather irritating arm-twisteing attempts on this specific bug, that
further dis-interests people in even doing a good-will fix for it.
> Who at a senior TDF level is responsible for managing security?
> What are the guidelines for the process? Are these documented?
We don't have a ton of process; however in attempts to build process to
co-erce engineers who volunteer their time seems to have been the modus
operandi so far =)
> FWIW, it would be normal in most applications for security issues to
> always be blockers for the next version and to get the highest
> development priority.
Prioritizing volunteer developers' work is a role that lots of people
would like to volunteer for =) Lets pretend I'm appointed as
chief-prioritizer of other people's spare time - let me tell you: Mike
Hall to go fix the issue, send a patch & then we'll merge it for you
[ how is that working out ? ;-]
Unfortunately it normally doesn't work that well. If you want the
ability to tell people what to do, the normal convention is to pay for
that. If you are a paying RedHat / SUSE / Ubuntu / Collabora / Lanedo /
Igalia etc. customer you get to report and have such issues fixed.
Furthermore the above are present in the security process - and work
hard to make a security and high quality product for their users.
I'm sorry if that's a bit harsh - but the discourse here has already
plumbed the depths before you arrived =) (not your fault of course); and
there are plenty of things to be working on in LibreOffice.
All the best,
Michael.
--
[email protected] <><, Pseudo Engineer, itinerant idiot
--
To unsubscribe e-mail to: [email protected]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted
