On Mon, Aug 1, 2011 at 7:40 PM, Simon Phipps <[email protected]> wrote: > On Mon, Aug 1, 2011 at 12:15 PM, Rob Weir <[email protected]> wrote: > >> On Mon, Aug 1, 2011 at 2:59 PM, Simon Phipps <[email protected]> wrote: >> > One observation about this discussion: Until there is actually a way to >> > make a binary deliverable from AOOo, any inbound security alerts would >> > probably need to be referred to LibreOffice anyway. While the Apache-only >> > list that's being speculatively designed here might be applicable once >> the >> > project is creating deliverables, but until then a pragmatic approach of >> a >> > temporary and inclusive list seems hugely preferable. >> > >> >> It is possible that some reports would be shared. It is also possible >> that some would not. For example, a report might be a duplicate. It >> might be wrong. It might be spam. It might require a followup to >> clarify. It might involve code that doesn't exist in LibreOffice. The >> discretion with the PPMC and their delegates. >> >> The Apache Security page makes it clear to reporters that they are >> reporting a vulnerability to Apache where it will be discussed >> privately by the project team. They are not told that their report, >> with their name, company affiliation and other contact info, will be >> shared more broadly than that. So even in instances where we did >> share information, such as with a 3rd party expert or via a >> pre-notification, that initial report would only be shared in >> anonymized form. >> > > I don't think I understand how your response, which refers to the > functioning of a future list once AOOo has an operational development > process, applies to my comment, which refers to the situation now when any > incoming security issue would probably be triaged by fixing & recommending > use of LibreOffice. >
The existence and staffing of ooo-security is part of AOOo development. It is not something outside of a development process. Not every report we receive necessarily results in the production of an urgent patch. But if such a situation occurred, then we'd discuss on ooo-security and develop a recommendation. But regardless of the disposition of the report, I think it is important to respect the privacy of the reporter. > S. >
