On Fri, Jul 29, 2011 at 1:48 PM, Pedro F. Giffuni <[email protected]> wrote: > --- On Fri, 7/29/11, Norbert Thiebaud <[email protected]> wrote: > ... >> >> > >> So let me use a analogy to illustrate why I though that was >> a sarcasm: >> >> to me, Rob's paragraph read as: >> >> The offer remain open: If any gay person want to marry, we >> will gladly recognize that marriage, as long as they marry >> someone of the opposite sex. >> > > Religion is off topic here, but indeed you can't expect that > a specific church that defines marriage as the union between > a man and a woman to procreate will recognize same sex > unions as "marriages". No sarcasm there, just the rules.
The sarcasm here is not each other position, but the claim that there is any 'open offer' is such proposal. > >> >> PS: why o why would signing an iCLA be a requirement to be >> a project security liaison ? > > The ICLA covers two things that are essential for any > contribution: license and patents. It would be unacceptable > to accept security patches that could cause problems in > either topic. > ok let me use a concrete example: Let say person A found somewhere in the code something like printf( s_usingText ); where there is a risk that s_usingText is not sanitized... let's say person A notify this security risk to LibreOffice security risk What should happen then: a/ LibreOffice keep it private to LibreOffice member only, make and publish a Fix, then and only then unleashed the news on the rest of the world, including AOO.org ? b/ LibreOffice security list has subscriber that represent their cousin project AOO.org so they are aware of it immediately and can themselves asses, fix and prepare a patch (if applicable)... and since they are cross-list access they can coordinate release and announce if need be. If you selected option a/ then fine subject closed.. but let's not be hypocrite about it. If you selected option b/ how do you rationalized that the behavior should not be reciprocal ? 'because that is how Apache work ?' really ? >Ambassadors only get notified of internal issues; they >don't decide. A security officer would be more analogous >to a defense minister. being subscribed as a liaison to a ooo-security list does not confer the subscriber any decision power... and yes the whole point of the cross-pollination _is_ to get notified as soon as possible of possible issues. Norbert
