Wow, has this thread not gone anywhere, nor been as polite as I'd hope.
----
Fundamentally, the ASF has delegated responsibility for all future
Apache OpenOffice releases to the Apache OpenOffice PPMC. I believe and
support them having a private security@ list that only PPMC members are
allowed to subscribe to, to accept reports of vulnerabilities and to
make plans to address them in ASF releases.
The issue is, what to do with security issues raised about *previous*
releases of OpenOffice.org software - something that normally we'd all
look to Oracle and the previous Security Team of OpenOffice.org to fix,
but in this case, we need to at least attempt to address them ourselves
(hopefully, jointly).
I think we've completely lost sight of "B", a place where Apache
OpenOffice PPMC members and trusted others of related projects can work
together. Given the interrelationships of code between OpenOffice and
LibreOffice and others, I would definitely vote to use or host an
officesecurity@somedomain private list where *any* existing members of
an OOo related security team would all be allowed to subscribe and work
on issues in conjunction.
Personally, I'd suggest using the existing [email protected]
for this purpose of "B", because it's already well known, and uses the
openoffice.org domain (which will be hosted by the ASF in the future).
The Apache-specific list would be the existing
[email protected] list, which would be open only to ASF
committers that the Apache OpenOffice PPMC approves.
But that's just my (non-binding) vote. But I'd definitely like to see
more organized cooperation here in terms of capturing and sharing basic
information about security fixes.
And in terms of IP, I would hope that any participants in the (future)
joint [email protected] list would agree explicitly to mail only
AL-licensed code to that list, ensuring that the Apache OpenOffice
podling could use it in a release.
- Shane
On 10/6/2011 10:38 AM, Florian Effenberger wrote:
Hi,
Jürgen Schmidt wrote on 2011-10-06 14:40:
My idea is to simply use the existing
[email protected] <[email protected]> list for
collaborative work on this topic. LibreOffice has also a separate
security
list, right. So i don't see your point here.
I proposed that, Rob Weir refused to continue with the existing
contacts, telling things at Apache were different.
Ping me when you folks have sorted out your issues.
Florian
