Florian, we are all learning over here. There are practices that the ASF has around security and how reports to security are handled and the Apache ooo PPMC is working to comprehend how to do this properly. We're still working out how this is all meant to work and how we deal with the fact that there is a broader common interest than what the Apache incubator might be the source of.
We set up the [email protected] on the serious urging of the ASF security team. At the moment, the three moderators (required to provide mailing list coverage) of this moderated and private list (no public archive or subscriptions) are myself, Rob Weir, and Malte Timmermann. As the self-selected moderators, we became the initial subscribers. The other advice was to include others who are already working on security lists for, e.g., OpenOffice.org (traditional) and LibreOffice. I, for one, want more engagement of experienced security minders around ODF and its implementing consumers and producers. Although I pay attention to security-related matters involving ODF and how implementations use it, I don't consider myself an expert (and I am not one to be making patches to the code if that is what mitigation requires). I think we should rely on expertise that is available for how to conduct ourselves and also handling submissions to our respective security lists. You are seeing how the discussion of that is going so far. I favor including the two others Malte recommends and I am not concerned about iCLAs and having them be Apache committers and on the PPMC. It is nevertheless the case that all actions to mitigate a security issue on Apache ooo (incubator) are the responsibility of the PPMC. That does not mean we can't share analysis and even agreement on remedies and the coordination of mitigations, release of CVEs, etc. There's also suggestion that we cross-subscribe our lists, but I'm not sure how we can manage that. However, having common membership should allow appropriate forwarding across lists. I'm thinking security matters may be of more immediate concern to the active LibreOffice development than to Apache. We can't do a lot about any mitigation at the moment. We clearly need to be in the same loop with LibreOffice where there are common security concerns. I concur with your previous remarks concerning this being an important area where we can benefit from mutual cooperation. - Dennis -----Original Message----- From: Florian Effenberger [mailto:[email protected]] Sent: Thursday, July 28, 2011 14:42 To: [email protected] Subject: Re: Population of ooo-security Hello, Dennis E. Hamilton wrote on 2011-07-28 22:04: > I support Malte's recommendation to add two individuals that are currently > in-common with respect to OpenOffice.org (traditional) and LibreOffice. I must confess I find it really strange that policies seem to be changed here. We had a good team at OpenOffice.org working on various security aspects (reporting, fixing, communicating), and when LibreOffice started, we unbureaucratically continued to work with the same set of people that has been proven trustworthy already. Everyone agreed that security is one of the areas where cooperation is possible without any politics involved. I don't know the exact recipient list of the current OOo security list, but my proposal would simply have been to continue working with those people. I simply see no reason for changing that (and the notion of "We do things different here" is no valid argument at all to me). But maybe that's just my idea. Well, anyways, back to important stuff. Florian -- Florian Effenberger <[email protected]> Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
