+1 I am very much in support of the view that Dave has evolved in this discussion. The discussion is not about the private security teams each project must have to deal with its security issues and to ensure the secure operation of the dealing with security issues.
If there is to be a community location for sharing concerning common vulnerabilities and security concerns among those teams, a kind of secure channel among the parties, like a multilateral hot line, some trustworthy basis for that has to be achieved. The security of our users in relying on our products and their interchange protocols and formats is paramount. Ultimately, that is the bedrock for enduring the discomfort of finding ways to accomplish this that is trustworthy for all of the participants. - Dennis -----Original Message----- From: Dave Fisher [mailto:[email protected]] Sent: Tuesday, October 25, 2011 12:30 To: [email protected] Subject: Re: Neutral / shared security list ... Hi Pedro, On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote: > I am not in the PPMC specifically to avoid participating in this type of > discussions, but I have to say this, just IMHO: I appreciate your decision to focus on the code. Project management keeps pulling me away from code ... for too many years. > > I fail to understand why the ASF is not considered neutral, deep > inside I think the reason is simply because this year we got a bigger > toy in our Christmas tree that they wanted. Hope I am wrong. Michael Meeks and Florian have been explicit today that openoffice.org as a destination is not considered neutral by the TDF. I haven't explicitly asked if an apache.org address is not sufficiently neutral ... I suspect not. I think about this as a branding decision by TDF about LO and not our business. > We owe to our millions of users out there to maintain our own security > channels and we cannot delegate them to a third party. Looking for > an unrelated domain to handle our issues is like giving your children > to your neighbors so they educate them "impartially". There should be no doubt that [email protected] will remain as the project's security list. If there is a meta-list for security for all of the peers in the OOo / LO and the rest community. This is some confederation that shares security issues in a private manner between peers. The peers have the mutual interest of their communities in mind. > > If there is no interest in bringing the code bases together I think there > Is not much to gain on a shared security list on the long run. There is a need for co-operation regardless of the code divergence. The code will retain significant commonality. The ODF format is a standard. There will be common security issues. One could argue that the such co-operative lists should include all of the Microsoft Office community as well. Both LO and OOo implement OOXML and the binary MS Office formats. I won't because I suspect that it is a bridge too far. Regards, Dave > > Pedro.
