On Fri, Jul 29, 2011 at 11:58 AM, Dave Fisher <[email protected]> wrote: > > On Jul 29, 2011, at 9:26 AM, Norbert Thiebaud wrote: > >> On Fri, Jul 29, 2011 at 10:48 AM, Rob Weir <[email protected]> wrote: >>> On Fri, Jul 29, 2011 at 10:58 AM, Florian Effenberger >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> Rob Weir wrote on 2011-07-29 16:49: >>>>> >>>>> What did you think of Simon's idea of having a discussion list, >>>>> perhaps outside of Apache, where interested parties could discuss >>>>> issues related to the security of OOo and related code bases? >>>>> Something like that could be useful, even if it is not part of the >>>>> official incident response process of Apache or LibreOffice. >>>> >>>> I was not talking about chatting on security topics, I was talking about >>>> effectively cooperating on security issues, like we did in the past, in a >>>> trusted, well-proven group. >>>> >>>> However, people made it clear that this is not of interest, so I simply >>>> shut >>>> up here. >>>> >>> >>> The offer remains open: If any LibreOffice security expert joins this >>> list, states that they have relevant expertise and that expresses a >>> commitment to work on Apache OpenOffice security, and are willing to >>> sign and return the Apache iCLA, then I will gladly nominate them as a >>> committer and recommend that they be added to the ooo-security list. >> >> Sarcasm does not "travel well", maybe you should add <sarcasm> >> </sarcasm> to the above paragraph ? > > I think that Rob is being serious here, he's mentioned this twice. There are > rules, but there are ways to deal with those rules. > > I fail to see any sarcasm in this honest offer and I second the offer > including PPMC membership. If a known OOo security expert
No Rob's 'honest offer' was: " If any LibreOffice security expert joins " > wishes to join our podling we should make all necessary efforts to include > them. That was never the topic. The topic is: considering that we share a big common ancestor, if either one of us is made aware of a security risk, should we inform our cousin ASAP ? and if so, how best do that. Apparently in the past that was achieved by cross-pollinating each-other security list with a select few security-expert liaison. Note that this sword cut both ways. ( http://en.wikipedia.org/wiki/Tit_for_tat ) > So let me use a analogy to illustrate why I though that was a sarcasm: to me, Rob's paragraph read as: The offer remain open: If any gay person want to marry , we will gladly recognize that marriage, as long as they marry someone of the opposite sex. The offer remain open: if any person want to collaborate with us on a neighborhood watch list, we will gladly accept them as long as they get baptized in our church and renounce their evil ways. Norbert PS: why o why would signing an iCLA be a requirement to be a project security liaison ? it's like asking that any ambassador be naturalized citizen of the country he is in post in.
