On Fri, Jul 29, 2011 at 4:37 PM, Daniel Shahaf <[email protected]> wrote: > Dave Fisher wrote on Fri, Jul 29, 2011 at 12:04:44 -0700: >> Let's stop misinterpreting and offending each other and find a way to >> co-operate. >> >> Several possibilities have been discussed. >> >> (1) A private list of experts that will be contacted as needed by >> ooo-security. Maybe this should be public, self-identified and on the >> commiunity wiki? >> >> (2) A list of interested, interrelated projects that want to be >> informed of upcoming fixes, etc, slightly in advance. Registered on >> the community wiki? >> > > As long as it's not "Whoever registers gets notified". The public > notification is via the announce@ list, not via registration. > >> (3) Remembering that anyone who actually has an issue can report it to >> ooo-security and ooo-security would likely include that individual in >> their discussion and remediation. Other APache projects actually show >> who reported, when it was privately and when it was publicly >> disclosed. >> >> (4) An offer to anyone who is an OOo security expert including LO/TDF >> people to join the podling as a committer and member of the PPMC >> - requires an ICLA (which is not a baptism nor is it circumcision) and >> the vote of the PPMC. >> >> Do you have something constructive to add here? >> > > (6) ooo-security@ voluntarily CC's libreoffice-security@ (the list, not > individuals) when a concrete vulnerability is recognized and a fix needs > to be devised. >
And why not at that point cc Symphony, RedOffice, NeoOffice, BrOffice, EuroOffice, etc? If we need expertise in resolving an issue or preparing a fix then we should seek out the best expert we can find willing to help, regardless of their affiliation. (Would you suggest less?) And if our goal is to give a pre-notification to downstream consumers (or others who share a similar codebase) then we do so more broadly, to trusted representatives of those projects, without favoritism. I cannot imagine any situation where it would be appropriate to automatically cc LibreOffice and only LibreOffice on every new vulnerability. > I'm not sure whether or not an ICLA would be required; but the ASF's > legal rights to use the devised patches should be ascertained. > >> Regards, Dave >
