Hi Rob, On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote: > Reading binary file formats, including the legacy MS Office > formats, is notoriously difficult to do robustly.
Agreed. > 2) That security reports should be sent to successor project's > security contacts. .. > 3) We should list the AOOo's ooo-security list, as well as the TDF/LO > security list, and contacts for IBM Symphony, RedOffice, as well as > Oracle and Novell since they may have outstanding support contacts for > legacy release of OOo. I would instead seriously suggest that the Apache OOo decision to exclude non-committers from the security list (undoing years of trust and co-operation here) plus our reciprocal action is the ultimate root cause of this communication problem. Fixing that by re-visiting that decision seems like the cheapest approach. Having dozens of contact points for umpteen different lists seems like a sure-fire recipe for disaster. > It is quite natural for representatives of other products based on the > same source code to want to be on AOOo's ooo-security list, to discuss > and resolve issues and co-develop patches. This is a very natural > desire and has a very natural solution: Become a committer. That is > how to get involved. This seems an arbitrary and un-necessary requirement. If TDF were to demand wearing an "I love TDF badge" at conferences as a requirement of being on our security list it'd be seen as just as silly. If TDF folk wanted to be committers at Apache - they already would be, but the vast majority are not, and it is not something I'd want to ask anyone to have to do in order to work on security, and certainly not something I want to do myself. In many ways (from a licensing perspective) cross-fertilisation on lists is a more attractive option than having a shared list IMHO, but it must go both ways without pre-conditions that extend beyond competence and relevance. > This alternative may lack the immediacy of joining ooo-security directly, > but that is the trade-off. Return the iCLA and become a committer and > you can easily be on the ooo-security list. Don't return the iCLA and > you can't. Simply re-stating the status quo, in light of it's failure doesn't really help anyone I think. Potentially if you really, really want to keep your list closed, we can create yet-another list: in some neutral third place; where is hard to say (again this is why cross-fertilisation is by far the easiest solution IMHO). As a proposal, it'd be easy to get a list at freedesktop with cross-project admins. That is associated with LibreOffice I suppose, why don't we call it 'ooo' as the compromise: ooo-secur...@lists.freedesktop.org ? [ of course I'd need to check that out, but would there be any objections to migrating ooo-security to somewhere there ? ]. I imagine TDF would be happy to advertise a shared list as our preferred contact point for vulnerabilities if ASF will reciprocate. All the best, Michael. -- michael.me...@suse.com <><, Pseudo Engineer, itinerant idiot