I'll add my +1 as a mentor (i.e. not a committer) to Rob's general
suggestions.
Personally, I would be uncomfortable to have non-PPMC or Apache Security
team members on the ooo-security@ list. This is a list for this project
to become aware of potential security issues, and to quickly review them
and start a plan for addressing them (if necessary).
Having only Apache committers on this list in no way means that the list
members would not tap any relevant security experts as needed.
Obviously for specific vulnerabilities (or even potential
vulnerabilities), I would expect people would reach out directly to
other recognized or trusted security experts - I'm sure, in many cases,
to the other relevant LibO or whatever security mailing lists. But the
ooo-security@ list itself should be carefully limited.
But security of the future Apache OpenOffice product remains with this
(P)PMC - not with security experts on other projects, no matter how well
meaning or experienced they may be. The direct way the (P)PMC should
learn about issues - ooo-security@ - is for the (P)PMC to be on.
Note that I would also recommend emailing security@ after you have a
basic proposed plan to get advice, and to strongly consider following
any advice you get. They and some of the other major Apache projects,
like Tomcat, Subversion, and httpd, should also be able to provide good
guidance on ways to alert first responders (packagers, binary builders,
whoever) in an appropriate manner before public disclosures.
- Shane
