Re: [Proposal] Security coordination without a shared list

Tue, 25 Oct 2011 12:31:45 -0700 


On 10/25/2011 09:08 AM, Rob Weir wrote:

There is an easy way to avoid all the trust issues with regards to
shared mailing lists.  Don't have such a list.  Trust individuals.
This proposal takes this approach.



Actually I personally like this idea. Why? There have been many 
statements/testimonies to the fact that the LO  contains a great deal of 
code that is NOT in any of the OOo releases, and is now quite different. 
And, presumably, the LO development will continue to be different enough 
to warrant it's own separate universe of mailing lists. I think at some 
point if we decided we really truly wanted to have a shared security 
list, it would become very difficult to determine who was the 
responsible party for the grievances. I might be exaggerating the 
problems since I'm not a developer, but, then again, maybe not.



So, although I'd love to see us work more closely with LO, I believe 
separate security lists are in order.




1) The AOOo PMC solicits the names of security contacts from related
projects who wish to be consulted related to pre-disclosure
coordination related to analysis and resolution of reported security
vulnerabilities.  Names of individuals are preferred over opaque
mailing lists.  Trust can be established based on a PGP/GPG web of
trust.  These names and addresses are stored confidentially in the
PPMC's private SVN directory.

2) The AOOo security team reaches out to these contacts, as
appropriate,v ia their preferred contact mechanism,  to coordinate on
specific vulnerabilities.  We (Apache) would cc ooo-security on our
external emails, as required by Apache policy [1].

3) Other groups would be encouraged to reach out to AOOo in similar
circumstances via our preferred contact mechanism, ooo-security.

4) This fully allows targeted collaboration on specific issues, via
each project's preferred contact mechanism,  without requiring the
maintenance of an additional email list.

5)  If we want to discuss security in general, then that can/should
happen on public dev lists.    That public discussion could occur
anywhere.


[1]: http://www.apache.org/security/committers.html


--
------------------------------------------------------------------------
MzK

"This is no social crisis
 Just another tricky day for you."
                 -- "Tricky Day", the Who






















					Reply via email to