It is a little difficult to figure out where to reply on this thread, but I am mostly aligned with Shane and the response from Simon.
THE PRESENT STATE OF AFFAIRS First, since the earlier conversation and the exchange that Michael Meeks mentions in his restart of this thread today, Martin Hollmichel added Rob Weir as an additional moderator on securityteam@ OO.o. I privately requested being added to that list as a subscriber so that there is more coverage from ooo-security@ i.a.o, although I don't know if that has been accomplished. Also, ooo-security@ i.a.o is subscribed to securityteam@ OO.o. So, there is a way to receive everything that goes to securityteam@ and there are enough of us who should be able to ensure that anything of mutual importance that ooo-security@ learns of can be reported to securityteam@. There is now a degree of shared oversight on the securityteam@ list that should work going forward as tuning is done. I believe this is preferable to making a new place and having to construct a new securityteam, for many reasons including the security of securityteam@ itself. THE FAILING/DESIRED STATE? The preceding steps were taken around October 10-13 on the urging of Apache mentor(s) that action had been delayed too long and the cross-connection on common territory needed to be cleaned up ASAP. I think that's been accomplished well enough for now. This does raise some issues. First, perpetuation of securityteam@ OO.o depends on preservation of that e-mail list and its operation when the OpenOffice.org domain comes under Apache custody. If, instead, securityteam@ OO.o has to be abandoned, an alternative community-common location will have to be created. If securityteam@ OO.o is preserved, I believe the oversight of security@ apache.org and the care of Apache infrastructure is a bonus. The ASF attention to security and commitment to the security and safety of the sites in its care is valuable. It is well-established. The strength of the security@ team is a related bonus. There is a highly-experienced and qualified team in a position to ensure that securityteam@ is secured and also operated in a reliable and even-handed way. I had preferred, myself, that any ASF contribution of moderation and administration, along with that provided by others, come from security@ a.o rather than anyone on ooo-security @ i.a.o. I think security@ is more credible as a neutral party. ASF has no issue with how many different office suites there are, how many open-source office suite projects there are, and what the variety of releases and distributions might be. So I think it is a superior earnest from ASF to have security@ take a hand to ensure that security comes first and that competitive instincts will have no influence. On the other hand, security@ already has oversight on everything that happens on ooo-security, including anything ooo-security receives automatically from securityteam@ OO.o. I think that is good enough, but it might not be perceived to be by those who need to be able to trust in securityteam@ OO.o. If securityteam@ OO.o cannot be preserved, then an alternative arrangement will have to be made no matter what. Then I think it is important that Michael Meek's latest proposal be brought to the front. Even if Apache hosting and infrastructure is chosen as a proven way to have assurance of available and secure sites and lists, it might be better to not use an apache.org domain name for it. - Dennis -----Original Message----- From: Shane Curcuru [mailto:[email protected]] Sent: Wednesday, October 19, 2011 08:41 To: [email protected] Subject: Re: Neutral / shared security list ... On 10/19/2011 11:28 AM, Simon Phipps wrote: > On Wed, Oct 19, 2011 at 4:16 PM, Pedro Giffuni<[email protected]> wrote: > >> -1 >> The Apache Foundation *IS* neutral. >> Beyond the evident open wounds the previous relationship with SUN/Oracle >> may have left in the community, the OpenOffice.org domain is the natural >> reference for longtime users and the developers of the many forks. >> > > I agree, but the problem is one not of the neutrality of the trademark owner > but rather the practical neutrality of the administration of the shared > list. Is the project happy for the list administration to be shared with > others outside Apache? > > If so (and if it actually happened!) I would share your vote and re-iterate > my earlier proposal that [email protected] be used. > > S. I'm confident that the Apache security team and specific members of AOOo PPMC could arrange a suitable adminstration structure to satisfy any reputable security-minded contributor in the OOo world. While some of us may have significant differences elsewhere, I hope (and presume) that we all take security seriously enough to do it correctly. And given that the existing [email protected] email address is already plastered over archives and search results and millions of user's existing installs, keeping the same email address is a huge bonus in terms of capturing security issues from less technical end-users. In terms of reliability, that should not be an issue once we are hosting the mailing lists at the ASF and the Apache infra team has full access to maintain the lists up to the same standards as our other lists. - Shane
smime.p7s
Description: S/MIME cryptographic signature
