--- On Fri, 7/29/11, Norbert Thiebaud <[email protected]> wrote: ... > ok let me use a concrete example: > > Let say person A found somewhere in the code something > like > > printf( s_usingText ); > > where there is a risk that s_usingText is not sanitized... > > let's say person A notify this security risk to LibreOffice > security risk > > What should happen then: > > a/ LibreOffice keep it private to LibreOffice member only, > make and > publish a Fix, then and only then unleashed the news on the > rest of > the world, including AOO.org ? > > b/ LibreOffice security list has subscriber that represent > their > cousin project AOO.org so they are aware of it immediately > and can > themselves asses, fix and prepare a patch (if > applicable)... and since > they are cross-list access they can coordinate release and > announce if need be. > > If you selected option a/ then fine subject closed.. but > let's not be hypocrite about it.
a/ is reasonable: I am willing to accept that we can do better but if ultimately A/ is the only option that does not mean we are enemies. We do want b/ to be reciprocal, but that means we respect your rules and you respect ours. How would you like to include a patch that I send you (no license agreement) and a few months later the company I work for (with or without my consent) starts suing your users for patent infringement? The few rules Apache has are there for a reason, and trust me you there is no intention to treat any project unfairly. ... > > being subscribed as a liaison to a ooo-security list does > not confer > the subscriber any decision power... and yes the whole > point of the > cross-pollination _is_ to get notified as soon as possible > of possible > issues. > ooo-security, as I understand it, is meant to identify and react as fast as possible to specific vulnerabilities that other people report. Other projects have a security-notifications list in additional to the normal security lists. Security issues are usually relatively straightforward to patch, so even if we have to recur to option a/, the notification will not take too long to come out... cheers, Pedro. > Norbert > >
