Hi Andre, On Jul 29, 2011, at 7:50 AM, André Schnabel wrote:
>> I must confess I find it really strange that policies seem to be changed >> here. >> >> We had a good team at OpenOffice.org > > Well .. this is not OpenOffice.org, this is Apache. ;) first, I thought this is ironic note, but then I have to agree. And I have to say that I have changed my mind in this. I'll explain: Security was not the primary goal back in OOo project. After security team was established, it gets the attention it requires. Even at these days, Sun security team was consulted many times. When Oracle bought Sun, the same happen with Oracle security team. And when I think about this in general, this is my proposal: Apache has its general security related list - [email protected]. Apache OpenOffice.org project should have its own list as well - AOOo SEC or how it will be named... Only people from Apache security team and AOOo project should be there. OpenOffice.org, LibreOffice and other downstreams should continue to discuss their relevant security issues somewhere, because this was the thing that worked perfectly in the past. But this place can't be AOOo security mailing list. I'd be happy if this (CLOSED!) discussion place about not yet disclosed vulnerabilities can be hosted at Apache. If Apache project can't host such discussion place, then yes, this could be only because of BO ;-) -- Pavel Janík
