On Thu, Jul 28, 2011 at 6:43 PM, Dennis E. Hamilton <[email protected]> wrote: > Florian, we are all learning over here. > > There are practices that the ASF has around security and how reports to > security are handled and the Apache ooo PPMC is working to comprehend how to > do this properly. We're still working out how this is all meant to work and > how we deal with the fact that there is a broader common interest than what > the Apache incubator might be the source of. > > We set up the [email protected] on the serious urging of the > ASF security team. > > At the moment, the three moderators (required to provide mailing list > coverage) of this moderated and private list (no public archive or > subscriptions) are myself, Rob Weir, and Malte Timmermann. As the > self-selected moderators, we became the initial subscribers. > > The other advice was to include others who are already working on security > lists for, e.g., OpenOffice.org (traditional) and LibreOffice. > > I, for one, want more engagement of experienced security minders around ODF > and its implementing consumers and producers. Although I pay attention to > security-related matters involving ODF and how implementations use it, I > don't consider myself an expert (and I am not one to be making patches to the > code if that is what mitigation requires). I think we should rely on > expertise that is available for how to conduct ourselves and also handling > submissions to our respective security lists. > > You are seeing how the discussion of that is going so far. > > I favor including the two others Malte recommends and I am not concerned > about iCLAs and having them be Apache committers and on the PPMC. It is > nevertheless the case that all actions to mitigate a security issue on Apache > ooo (incubator) are the responsibility of the PPMC. That does not mean we > can't share analysis and even agreement on remedies and the coordination of > mitigations, release of CVEs, etc. > > There's also suggestion that we cross-subscribe our lists, but I'm not sure > how we can manage that. However, having common membership should allow > appropriate forwarding across lists. >
Both lists are also used for reporting vulnerabilities. So both lists must already have the ability to accept incoming emails from non-subscribers. We know with Apache, such emails to to the moderator first. I assume it is the same with [email protected]. So in cases where we think we need to post to that list, or they think they need to post to ours, it is already possible. We don't need to change anything for that to happen. But remember, the [email protected] is not long for this world. This Apache project will be taking over that domain and its lists. So in the intermediate term there will no longer be "us" and "them". It will just be "us" and "us". We'll need to decide at that point whether [email protected] continues or whether it is shut down. My guess is we'll want to shut it down so it is clear to the public where reports should be sent. So cross-subscribing is really a short term hack and a non-solution in my mind. What do we really want to do? Stepping back, what do we want to accomplish? Do we want a list of domain experts we can tap into? That is easy. Track the list in a text file in the PPMC's private directory. Do we want to bring more security experts into the project and as committers and PPMC members into the ooo-security list. Great. I'd love to help with that recruitment effort. Do we want create a private club of 3rd parties with whom we share all reports and discussions with, indiscriminately, by default, regardless of the technology involved in the underlying report? Sorry, I can't support that. Can you give me an example of a kind of issue that we could not analyze and resolve within the project, or could not resolve by tapping into targeted 3rd party domain experts? > I'm thinking security matters may be of more immediate concern to the active > LibreOffice development than to Apache. We can't do a lot about any > mitigation at the moment. We clearly need to be in the same loop with > LibreOffice where there are common security concerns. > We can do plenty. It would depend, of course, on the severity and nature of the underlying vulnerability. > I concur with your previous remarks concerning this being an important area > where we can benefit from mutual cooperation. > > - Dennis > > -----Original Message----- > From: Florian Effenberger [mailto:[email protected]] > Sent: Thursday, July 28, 2011 14:42 > To: [email protected] > Subject: Re: Population of ooo-security > > Hello, > > Dennis E. Hamilton wrote on 2011-07-28 22:04: >> I support Malte's recommendation to add two individuals that are currently >> in-common with respect to OpenOffice.org (traditional) and LibreOffice. > > I must confess I find it really strange that policies seem to be changed > here. > > We had a good team at OpenOffice.org working on various security aspects > (reporting, fixing, communicating), and when LibreOffice started, we > unbureaucratically continued to work with the same set of people that > has been proven trustworthy already. Everyone agreed that security is > one of the areas where cooperation is possible without any politics > involved. > > I don't know the exact recipient list of the current OOo security list, > but my proposal would simply have been to continue working with those > people. I simply see no reason for changing that (and the notion of "We > do things different here" is no valid argument at all to me). > > But maybe that's just my idea. Well, anyways, back to important stuff. > > Florian > > -- > Florian Effenberger <[email protected]> > Steering Committee and Founding Member of The Document Foundation > Tel: +49 8341 99660880 | Mobile: +49 151 14424108 > Skype: floeff | Twitter/Identi.ca: @floeff > >
