Having some lists on Sourceforge makes it clear to me that you don't want to go there. My sourceforge e-mail address, the one associated with the lists, receives an incredible number of bounces of false e-mails allegedly from the list as well as crap sent to the list. It is difficult to avoid conclusion that some of this is attributable to successful hacking into the list servers. That may be in the past, but there is no visibility and accountability about it that I have found.
There is a strong requirement for a vigilant host that is intolerant of lax security and that provides all of the appropriate safeguards and privacy of the kind required for a community security list. Such a list has a bulls-eye on its back and a big "ATTACK ME" arrow pointed at it. I recommended, and am still inclined to recommend, ASF for hosting for precisely the reasons that they are vigilant and this is also demonstrated in how they are vigilant with regard to the integrity of their code bases, the releases, and their authenticity. There is little question, to me, that ASF is likely going to outlast many alternatives for such a facility. I view this as separate from issues about governance of the list itself and the conditions for membership on the list. Because security lists are by necessity used for sensitive information, they cannot be public. The challenge is to still have tranparency and accountability over how the list is governed and operated, as a list, and who the participants (or at least, what organizations are represented, for participants who are there as representatives of particular projects). By the way, I know of no list that expects reporters to it (who also might submit packages) to have signed any kind of license agreement. Maybe that happens. I am not aware of it. I think Rob summarized the trust issues perfectly well. Since there does not appear to be a situation where blind trust is present, nor called for, the challenge is to build trust from some initial basis on which there is alignment. One case has to deal with trust in the impartiality and the serious professional conduct of the hosting organization, whatever the list is and whatever its Internet address is. I still claim that the best choice of those offered so far is ASF. Whatever other candidates for hosting are, there needs to be strong agreement on the measures that qualifies that choice that inspires mutual trust, apart from where the domain name is. - Dennis -----Original Message----- From: Florian Effenberger [mailto:[email protected]] Sent: Tuesday, October 25, 2011 08:56 To: [email protected] Subject: Re: Neutral / shared security list ... Hello, it is really amazing how much hot air can be produced for such a topic. Folks, it's rather easy. After the recent discussions and the history of this topic, it becomes obvious, that neutral grounds are important. Neutral grounds mean: - no domain name related to Apache, OOo, TDF or LibO - no hosting at one of these entities - members of the list from both parties (and of course other third parties that make sense) - admins of the list from both parties I'd also avoid any of the German associations, either directly or via donations, since stakeholders at both projects are in their respective boards, which might raise concerns towards neutrality. What's so complicated to understand here? We can bury ourselves with senselessly quoting bullshit from dictionaries, wikipedia or a philospher of our choice, or finally start working on things. A concrete proposal: - We can use either FreeDesktop.org, - or in case this is seen as non-neutral as it hosts also a few TDF lists (not all), go for SourceForge. - I am also happy to ask a friend of mine who is in the business of mail server consultancy, to host that list under a neutral domain name. He hosts various lists for free projects. In case that's not neutral enough as he's a friend, I know none of the admins at SourceForge. So, is there any *compelling* reason not to try out one of these three options? Florian -- Florian Effenberger <[email protected]> Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
