On Mon, Oct 10, 2011 at 6:10 AM, Michael Meeks <[email protected]> wrote: > Hi Rob, > > On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote: >> Reading binary file formats, including the legacy MS Office >> formats, is notoriously difficult to do robustly. > > Agreed. > >> 2) That security reports should be sent to successor project's >> security contacts. > .. >> 3) We should list the AOOo's ooo-security list, as well as the TDF/LO >> security list, and contacts for IBM Symphony, RedOffice, as well as >> Oracle and Novell since they may have outstanding support contacts for >> legacy release of OOo. > > I would instead seriously suggest that the Apache OOo decision to > exclude non-committers from the security list (undoing years of trust > and co-operation here) plus our reciprocal action is the ultimate root > cause of this communication problem. Fixing that by re-visiting that > decision seems like the cheapest approach. Having dozens of contact > points for umpteen different lists seems like a sure-fire recipe for > disaster. >
It is good to talk of root causes. If you misdiagnosis the problem then it is not surprising that the proposed remedy will be ineffective. Security reports come from security reporters. Can you tell us whether "Red Hat, Inc. security researcher Huzaifa Sidhpurwala" is a TDF member and whether he was reporting this issue under instructions from TDF? I don't see him listed as a TDF member [1], not do I see him ever having posted to the LO dev mailing list [2]. So this is a typical example of an independent security report that a project might get. In most cases it is coming from someone unrelated to the project and unrelated to kindred projects. It will rarely come from someone who is already on your security list. Receiving reports such as this has absolutely nothing to do with "years of trust and co-operation". It has everything to do with being clear on where such reports should be submitted. As mentioned before, submitting such reports to Apache is entirely voluntary. If such reports are not sent to Apache, it can be from lack of information or lack of will. I trust that my previous email provided the necessary information. You will not be able to claim in the future that you do not know how to submit a security report to us, or that it is the result of "miscommunication". Of course, I cannot provide the will. But at least we'll be clear about "root causes" in the future. No objections if you want to start a separate invitation-only security discussion list. It would probably get some use. But we'll continue to ask for security reports to come to ooo-security.i.a.o. You have your own private security list for TDF as well, right? So I don't see reason for your hysteria about ooo-security when you have your own private list as well. [1] http://www.documentfoundation.org/foundation/members/ [2] http://lists.freedesktop.org/archives/libreoffice/ -Rob
