Rob, I'd like to actually try to work out the shared list situation with a sincere spirit of mutual understanding, listening and co-operation.
On Oct 25, 2011, at 9:08 AM, Rob Weir wrote: > There is an easy way to avoid all the trust issues with regards to > shared mailing lists. Don't have such a list. Trust individuals. > This proposal takes this approach. > > 1) The AOOo PMC solicits the names of security contacts from related > projects who wish to be consulted related to pre-disclosure > coordination related to analysis and resolution of reported security > vulnerabilities. Names of individuals are preferred over opaque > mailing lists. Trust can be established based on a PGP/GPG web of > trust. These names and addresses are stored confidentially in the > PPMC's private SVN directory. Do you have software that actually exists that does this? Who is going to build this? > > 2) The AOOo security team reaches out to these contacts, as > appropriate,v ia their preferred contact mechanism, to coordinate on > specific vulnerabilities. We (Apache) would cc ooo-security on our > external emails, as required by Apache policy [1]. Replies would not necessarily be cc'd to ooo-security and that would be a problem. > > 3) Other groups would be encouraged to reach out to AOOo in similar > circumstances via our preferred contact mechanism, ooo-security. > > 4) This fully allows targeted collaboration on specific issues, via > each project's preferred contact mechanism, without requiring the > maintenance of an additional email list. > > 5) If we want to discuss security in general, then that can/should > happen on public dev lists. That public discussion could occur > anywhere. > > > [1]: http://www.apache.org/security/committers.html Time to be productive today. Regards, Dave
