On Oct 12, 2011, at 6:43 AM, Rob Weir wrote: > On Wed, Oct 12, 2011 at 9:04 AM, Shane Curcuru <[email protected]> wrote: >> On 10/12/2011 8:51 AM, Rob Weir wrote: >>> >>> On Wed, Oct 12, 2011 at 6:34 AM, Ross Gardler >>> <[email protected]> wrote: >>>> >>>> Before I sign off I'd like to see the report address external >>>> communications explicitly. >>>> >>>> The project has a real problem right now with asserting itself as the >>>> OpenOffice.org project and defining how it will interact with >>>> downstream projects. Is the community going to take ownership of this? >>>> >>>> It would be nice to see a statement from the PPMC making it explicit >>>> what they wish to tackle and, where possible, how. For example, after >>>> a flurry of discussion about improved security reporting processes and >>>> collaboration opportunities is the PPMC going to deliver or will this >>>> just die down and go away? >>>> >>> >>> In that other long thread -- and it is understandable if you missed >>> this -- I said: >>> >>> "I think it would be good if the PPMC wanted to express to the >>> ooo-security members that they want us to make security collaboration >>> with TDF/LO a priority and to make every effort to share all >>> appropriate information with TDF/LO. I'd support that. This could be >>> solemnized by having a few Apache members, maybe mentors, affirm that >>> they will make an effort to monitor that ooo-security list and to >>> escalate to the AOOo PPMC is there is any backsliding on this." >> >> I'm not sure what you're actually asking here. "ooo-security members" >> should be the people the PPMC appoints/approves there (and potentially >> anyone that the central Apache security@ team appoints), so it seems like >> you're talking about yourselves there. Who else is there between the >> ooo-security@ list and the PPMC? >> > > Currently, there is no one one between ooo-security and the PPMC. And > I am perfectly fine with that. But Ross's question was about external > relations, not the relationship between the PPMC and ooo-security.
I think that "we" as the AOOo PPMC will need to find one or more PPMC members to fulfill certain external roles. Perhaps these roles are: (1) Public face of Security for AOOo. (2) Liaison with the TDF. (3) Press Liaison. (4) Brand Manager / Cat Herder. With people in these roles who are active then perhaps the rest of us can defer immediate responses to questions in these areas when they occur on ooo-dev. With slight formality we might be able to stop the periodic and damaging flames of misunderstanding. Regards, Dave > >> Yes, I agree that efforts should be made to responsibly share security >> issues with technically related projects. This should be a default; while >> it's certainly good to bring it up, if there was anyone here who wasn't >> clear on the idea that Apache projects *must* take security seriously, >> then... well, then they should change their expectations. >> > > That wasn't my point. I don't think it was Ross's either. > >> Security in Apache products - and properly handling reports and >> *responsibly* disclosing issues - is a mandatory feature. If the PPMC does >> have specific questions on best Apache practices, then security@ is the >> place to go. >> > > Yes, but not the point. > >>> So I'm proposing that a couple Apache members step up to the plate on >>> this as well. What do you say? >> >> The point of incubation is to show a healthy community that manages itself. >> So I'm looking to the PPMC to be handling this yourselves. That said, >> trying to attract new contributors - especially ones who are familiar with >> the Apache Way - is always a good idea. >> > > Maybe someone else can explain this better, since I'm obviously > failing to get my point across here. If no one else cares, then > that's fine too. > >> I certainly plan to review the ooo-security@ list periodically to see how >> it's operating, as a mentor, but currently that's to prove to myself that >> the project's members are acting responsibly, not necessarily to do the >> project's work for it. >> >> - Shane >> >> >>> >>> -Rob >>> >>> >>>> NOTE I'm not asking for a full strategy in the report, just a >>>> statement indicating whether or not the PPMC feels that it owns these >>>> issues. If it doesn't want to own them then who does? >>>> >>>> Ross >>>> >>>> On 7 October 2011 15:33, Shane Curcuru<[email protected]> wrote: >>>>> >>>>> Tip: the board always appreciates well written reports that follow these >>>>> reporting guidelines: >>>>> >>>>> http://www.apache.org/foundation/board/reporting >>>>> >>>>> - Shane >>>>> >>>>> On 10/5/2011 8:05 PM, Alexandro Colorado wrote: >>>>>> >>>>>> Added some items for the October report for OOo. Feel free to chip in. >>>>>> >>>>>> >>>>>> http://wiki.apache.org/incubator/October2011?action=diff&rev2=11&rev1=10 >>>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Ross Gardler (@rgardler) >>>> Programme Leader (Open Development) >>>> OpenDirective http://opendirective.com >>>> >>
