Hi Rob,
On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote:
> Reading binary file formats, including the legacy MS Office
> formats, is notoriously difficult to do robustly.
Agreed.
> 2) That security reports should be sent to successor project's
> security contacts.
..
> 3) We should list the AOOo's ooo-security list, as well as the TDF/LO
> security list, and contacts for IBM Symphony, RedOffice, as well as
> Oracle and Novell since they may have outstanding support contacts for
> legacy release of OOo.
I would instead seriously suggest that the Apache OOo decision to
exclude non-committers from the security list (undoing years of trust
and co-operation here) plus our reciprocal action is the ultimate root
cause of this communication problem. Fixing that by re-visiting that
decision seems like the cheapest approach. Having dozens of contact
points for umpteen different lists seems like a sure-fire recipe for
disaster.
> It is quite natural for representatives of other products based on the
> same source code to want to be on AOOo's ooo-security list, to discuss
> and resolve issues and co-develop patches. This is a very natural
> desire and has a very natural solution: Become a committer. That is
> how to get involved.
This seems an arbitrary and un-necessary requirement. If TDF were to
demand wearing an "I love TDF badge" at conferences as a requirement of
being on our security list it'd be seen as just as silly. If TDF folk
wanted to be committers at Apache - they already would be, but the vast
majority are not, and it is not something I'd want to ask anyone to have
to do in order to work on security, and certainly not something I want
to do myself.
In many ways (from a licensing perspective) cross-fertilisation on
lists is a more attractive option than having a shared list IMHO, but it
must go both ways without pre-conditions that extend beyond competence
and relevance.
> This alternative may lack the immediacy of joining ooo-security directly,
> but that is the trade-off. Return the iCLA and become a committer and
> you can easily be on the ooo-security list. Don't return the iCLA and
> you can't.
Simply re-stating the status quo, in light of it's failure doesn't
really help anyone I think. Potentially if you really, really want to
keep your list closed, we can create yet-another list: in some neutral
third place; where is hard to say (again this is why cross-fertilisation
is by far the easiest solution IMHO).
As a proposal, it'd be easy to get a list at freedesktop with
cross-project admins. That is associated with LibreOffice I suppose, why
don't we call it 'ooo' as the compromise:
ooo-secur...@lists.freedesktop.org ?
[ of course I'd need to check that out, but would there be any
objections to migrating ooo-security to somewhere there ? ]. I imagine
TDF would be happy to advertise a shared list as our preferred contact
point for vulnerabilities if ASF will reciprocate.
All the best,
Michael.
--
michael.me...@suse.com <><, Pseudo Engineer, itinerant idiot
