On Thu, Jul 28, 2011 at 3:18 AM, Florian Effenberger <[email protected]> wrote: > Hello, > > Rob Weir wrote on 2011-07-28 04:08: >> >> -1. This is the project's private security list, with only a subset >> of the PPMC on it. We should not have 3rd parties signed up on it. > > that would mark a negative change in the way things are handled. Since the > beginning of LibO, we have also been collaborating with the OpenOffice.org > folks on security and vice versa, and from what has been discussed the last > weeks on those private lists, I got the impression that everyone involved > wanted to keep that good spirit and cooperation, as it has shown to be > beneficial for both sides. >
No one said we could not collaborate on security matters, or on any other matter. But the ooo-dev list is for "reporting or managing of an undisclosed security vulnerability in Apache software". It is part of the oversight of the project and has very limited membership, namely a subset of PMC members, those who have been elected to provide oversight to Apache projects. I'd recommend reading up on the process here: http://www.apache.org/security/committers.html I'd also have concerns with engineers who have not signed the Apache iCLA participating directly in the creation of patches on a private list. Especially note at the bottom where it explicitly allows for contacting and collaborating with 3rd party experts in resolving any reported security issues. This does not mean that these experts need to be signed up on the project's private security list. It just means they can be brought into the conversation where appropriate. Remember, anyone can post to any Apache list, even if they are not signed up on it. This sends it to the list moderators who may approve the message. That is how we get reports of security vulnerabilities in the first place. It would also be very easy for us to cc a LibreOffice security expert on list messages in order to collaborate. > I second André and Drew in their opinion that this is actually one of the > areas, where cooperation is very easily possible, so IMHO, we shouldn't > waste that chance. > I'd encourage the project to reach out to find security expertise wherever needed. This would include not only LibreOffice, but Lotus Symphony, other projects at Apache, authors of embedded 3rd party components, other industry experts, etc. We have a potential pool of experts that probably amounts to dozens or hundreds. But that does not mean that they all should be signed up on the ooo-security list. We should bring them in on a case-by-case basis. Otherwise, where would we draw the line? Sign up LibreOffice experts automatically on ooo-security? What about Symphony? NeoOffice? Portable Apps? EuroOffice? RedOffice? They all have reasons to want to be "the first to know" about any newly reported flaw. What about large government customers? Educational institutions? They would want to know first as well. So I think we need to clearly distinguish between the kinds of collaboration that are needed to resolve an issue versus the kinds of communications that are needed to report an issue and a fix to users and downstream consumers of the code. These are two different things, and the Apache security process makes that distinction as well. Cooperation on fixing problems is great and we should encourage it. But the reason the ooo-private list is private and small is to protect the users from premature disclosure of zero-day vulnerabilities. To prevent this Apache has defined some specific protocols, which I linked to above. This may differ from what OpenOffice has done before. That's fine. Apache has some experience with managing security as well. I don't think we should automatically dismiss their procedures. A concrete way to encourage future collaboration in this area is if LibreOffice would nominate 1 or 2 security experts from their project to be listed in our private list of experts. If you could send their names and email addresses, along with their particular areas of expertise, to [email protected], I will see that they are added to the list. I'll make the same offer to others as well. If you are a non-project member, but a security domain expert, and want to be on our list for when we need such expertise, please send a note to ooo-security. -Rob > Florian > > -- > Florian Effenberger <[email protected]> > Steering Committee and Founding Member of The Document Foundation > Tel: +49 8341 99660880 | Mobile: +49 151 14424108 > Skype: floeff | Twitter/Identi.ca: @floeff >
