On 10/12/2011 8:51 AM, Rob Weir wrote:
On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler
<[email protected]> wrote:
Before I sign off I'd like to see the report address external
communications explicitly.
The project has a real problem right now with asserting itself as the
OpenOffice.org project and defining how it will interact with
downstream projects. Is the community going to take ownership of this?
It would be nice to see a statement from the PPMC making it explicit
what they wish to tackle and, where possible, how. For example, after
a flurry of discussion about improved security reporting processes and
collaboration opportunities is the PPMC going to deliver or will this
just die down and go away?
In that other long thread -- and it is understandable if you missed
this -- I said:
"I think it would be good if the PPMC wanted to express to the
ooo-security members that they want us to make security collaboration
with TDF/LO a priority and to make every effort to share all
appropriate information with TDF/LO. I'd support that. This could be
solemnized by having a few Apache members, maybe mentors, affirm that
they will make an effort to monitor that ooo-security list and to
escalate to the AOOo PPMC is there is any backsliding on this."
I'm not sure what you're actually asking here. "ooo-security members"
should be the people the PPMC appoints/approves there (and potentially
anyone that the central Apache security@ team appoints), so it seems
like you're talking about yourselves there. Who else is there between
the ooo-security@ list and the PPMC?
Yes, I agree that efforts should be made to responsibly share security
issues with technically related projects. This should be a default;
while it's certainly good to bring it up, if there was anyone here who
wasn't clear on the idea that Apache projects *must* take security
seriously, then... well, then they should change their expectations.
Security in Apache products - and properly handling reports and
*responsibly* disclosing issues - is a mandatory feature. If the PPMC
does have specific questions on best Apache practices, then security@ is
the place to go.
So I'm proposing that a couple Apache members step up to the plate on
this as well. What do you say?
The point of incubation is to show a healthy community that manages
itself. So I'm looking to the PPMC to be handling this yourselves.
That said, trying to attract new contributors - especially ones who are
familiar with the Apache Way - is always a good idea.
I certainly plan to review the ooo-security@ list periodically to see
how it's operating, as a mentor, but currently that's to prove to myself
that the project's members are acting responsibly, not necessarily to do
the project's work for it.
- Shane
-Rob
NOTE I'm not asking for a full strategy in the report, just a
statement indicating whether or not the PPMC feels that it owns these
issues. If it doesn't want to own them then who does?
Ross
On 7 October 2011 15:33, Shane Curcuru<[email protected]> wrote:
Tip: the board always appreciates well written reports that follow these
reporting guidelines:
http://www.apache.org/foundation/board/reporting
- Shane
On 10/5/2011 8:05 PM, Alexandro Colorado wrote:
Added some items for the October report for OOo. Feel free to chip in.
http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
