On Mon, Oct 10, 2011 at 9:24 AM, Simon Phipps <[email protected]> wrote: > On Mon, Oct 10, 2011 at 2:15 PM, Rob Weir <[email protected]> wrote: > >> >> I've restated, in more explicit form, what I think the consensus is. >> > > It's hard to read your words that way, as they leave no room for anyone but > Apache committers. The clear consensus was for collaboration with the > StarOffice legacy ecosystem to be made easy. I'll wait for others to > respond further, though. >
Since you relied on Shane's post initially, let me remind you of what he wrote [1]: "I believe and support them having a private security@ list that only PPMC members are allowed to subscribe to, to accept reports of vulnerabilities and to make plans to address them in ASF releases." I'm stating the same thing, Shane then stated that he "would definitely vote to use or host an officesecurity@somedomain private list where *any* existing members of an OOo related security team would all be allowed to subscribe and work on issues in conjunction." I agree with that as well. This are not mutually exclusive options, Simon. And this is not just a two-party thing. Yes, AOOo and TDF both have their own private means to discuss security issues. But so does IBM for Symphony, and Novell for their products, and RedHat and RedOffice for their products. We're not going to eliminate the means for companies and open source projects to have private discussions about security issues that are reported to them. And nor should we seek to. But we can have an invitation-only only list where we can discuss overlapping concerns related to security. That is collaboration that also respects the autonomy of the individual projects. [1] http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201110.mbox/%[email protected]%3E > S. >
