[I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing. Here goes.]
PROPOSAL [email protected] be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it. We need to work out what the composition would be. The list will be automatically forward to [email protected]. I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription. DETAILS General information about the Apache Security Team: <http://www.apache.org/security/> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC: <http://www.apache.org/security/committers.html> Note that creation of a security page on our web site is also part of this. That should happen near-immediately also. BACKGROUND I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc. I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases. To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers. Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case. We'll have to work that out on an individual-case basis, I suspect. I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved. - Dennis
