Dave Fisher wrote on Fri, Jul 29, 2011 at 12:04:44 -0700: > Let's stop misinterpreting and offending each other and find a way to > co-operate. > > Several possibilities have been discussed. > > (1) A private list of experts that will be contacted as needed by > ooo-security. Maybe this should be public, self-identified and on the > commiunity wiki? > > (2) A list of interested, interrelated projects that want to be > informed of upcoming fixes, etc, slightly in advance. Registered on > the community wiki? >
As long as it's not "Whoever registers gets notified". The public notification is via the announce@ list, not via registration. > (3) Remembering that anyone who actually has an issue can report it to > ooo-security and ooo-security would likely include that individual in > their discussion and remediation. Other APache projects actually show > who reported, when it was privately and when it was publicly > disclosed. > > (4) An offer to anyone who is an OOo security expert including LO/TDF > people to join the podling as a committer and member of the PPMC > - requires an ICLA (which is not a baptism nor is it circumcision) and > the vote of the PPMC. > > Do you have something constructive to add here? > (6) ooo-security@ voluntarily CC's libreoffice-security@ (the list, not individuals) when a concrete vulnerability is recognized and a fix needs to be devised. I'm not sure whether or not an ICLA would be required; but the ASF's legal rights to use the devised patches should be ascertained. > Regards, Dave
