Whatever the arrangement is to become, it should not have a single point of failure in achieving coordination on common-mode/mono-culture vulnerabilities.
Anyone can post to anyone's security list. But they are private lists. It is the part where discretion must occur in handling vulnerabilities until the fix is in and a CVE is posted that happens privately and that might work better with some shared membership on the security lists. On AOOo, the PPMC is aware of any resolution that works into code, because of the way a security fix gets committed into a release. The PPMC-only member rule is one that was made up on this PPMC. It still needn't interfere with us communicating with each other and advising about progress toward a fix and CVE. I know it hasn't been an impediment with the security issues that I am aware of personally. - Dennis -----Original Message----- From: Simon Phipps [mailto:[email protected]] Sent: Wednesday, October 05, 2011 16:01 To: [email protected] Subject: Re: Vulnerability fixed in LibreOffice On Wed, Oct 5, 2011 at 11:11 PM, Dave Fisher <[email protected]> wrote: > To be fair there have been email outages at least twice with > openoffice.org - perhaps the messages were lost during that time. > Entirely plausible, I agree. So given [email protected] appears to be abandoned, and given the ooo-security list is only open to Apache committers, where should collaboration be taking place? I'm happy to mediate a discussion/solution. S.
