Okay, this isn't going well. With my Mentor hat on, allow me to explain that part of the Apache Way is a practice of establishing who is responsible (to the ASF) to see that a given project is well-executed. We feel very strongly about that responsibility, and in this case we've been given a codebase and certain other assets and we're undertaking to treat them with the same care we have with every other project we've incubated. Only people recognized as committers can "own" the problem of security for this codebase. It is this way to protect both the ASF and the codebase.
I realize better than many that this was handled another way in the past. The advantage of Apache as a home for OpenOffice.org is the size and robustness of the ASF, but that comes with the price of some necessary consistency in how we deal with all of our projects. Rather than arguing back and forth will only result in hurt feelings. Nobody is trying to persecute anybody here, nor are we trying to be non-inclusive...we're just trying to set up the structures that are working well (both legally and from a community perspective) on our top level projects...so that OpenOffice.org has a chance of graduating to join them. So everybody please calm down. I'd propose that we (as a project) decide how best to work with LibreOffice to identify people who would like to serve as liasons for security. If indeed nobody wants to sign an iCLA, then we'll gladly subscribe LO to receive downstream notifications rather than early disclosure of any issues that arise. That is suboptimal, but until more diplomacy and trust work is done it may be the best we can do. Danese > Sarcasm does not "travel well", maybe you should add <sarcasm> > </sarcasm> to the above paragraph ? > > Norbert >
