On Wed, Oct 19, 2011 at 10:56 PM, Dennis E. Hamilton <[email protected]>wrote:
If securityteam@ OO.o is preserved, I believe the oversight of security@ > apache.org and the care of Apache infrastructure is a bonus. I disagree. Having an arbitrary steward - regardless of their excellence - is not the way to sustain (or indeed rebuild) trust. The correct oversight is the list-members themselves. OUTLINE PROPOSAL: Thus I'd propose (in outline): * That [email protected] be used as the shared meta-community security contact list for projects deriving their source code from the former Sun-led OpenOffice.org project. The list would be used for any valid meta-community security matter including especially announcement co-ordination. * That the list should be private to list members (and with the consent of the list, to their project's private security list), with mutually agreed confidentiality, and populated only with people known to the majority of the list members as bona-fides security-related developers. * That the list be populated only with the consent of the existing list members (suggested process: a list member proposes a new list member with a brief explanation why they are a good-faith and experienced security developer in the meta-community. Code-modification-style voting takes place. A moderator adds the new member. In the event of mishap, list members may be removed using the same process). * Agreeing who the moderators should be by list-member consensus I'm sure this needs fleshing out by someone more process oriented, but I suggest this outline represents a workable compromise. Regards S.
