On 10 October 2011 21:41, Michael Meeks <[email protected]> wrote:
... > It seems that are you asserting that the advice from the established > Apache security mechanism was to be as insular as possible though; is > that really the case ? are all other Apache projects security lists > closed to helpful outside membership ? I'm afraid I can't answer your second question directly. But I can answer the first. As has been discussed by ASF Members in this thread, including two who are a part of perhaps the most security concious Apache project (the web server), the position is that: a) AOOo needs a private list for discussion of security issues specific to AOOo, I would expect LO needs their own private list for the same reason. b) Because other communities exist based on a common code base it makes sense to attempt to build an appropriate mechanism to collaborate on security issues that affect both projects I will observe that, to my knowledge, no other ASF project is faced with situation b). I will also observe that at some point in the future any mechanism put in place now for b) may become useless as code bases diverge further OR there are increased levels of collaboration on core components is achieved. However, today there is a potential for collaboration across the communities. I will also observe that a proposal to address both a and b has been put forward, and repeated numerous times, in this thread. I've even seen it agreed upon, at least in principle, by most parties in this discussion. [the next three sentences are a general observation and not in direct response to Michael] Unfortunately the bickering about "who started it" is getting in the way of moving towards a solution. As a mentor I find it a great shame as this opportunity for healthy collaboration between LO and AOOo might be missed because we want to disect this incident rather than look at the bigger picture of how we might work together on future incidents. Ross
