It seems to me that sharing fixes is not nearly as crucial as sharing identification of vulnerabilities and a little hobnobbing on how the vulnerability will be made known when it exists in more than one project's releases. There might not be coordinated patching and releasing. It all depends. It might not be one-patch fixes all. Contribution of a patch that is worked up can be dealt with in a concrete case. The idea is that this is a cooperative activity and we'll do the right thing. (I found out how to put "we" in my messages and route around my auto-corrector objection.)
But this is about what is likely to happen. The question, for now, is having the shared forum or not. - Dennis -----Original Message----- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 16:20 To: ooo-dev@incubator.apache.org Subject: Re: [proposal] Neutral / shared security list ... On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: > On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton > <dennis.hamil...@acm.org> wrote: >> Oh, and the most important part: >> >> In want way is the AOOo party to the consensus that is reached? That >> ooo-security (an agent of the PPMC, essentially) will participate in the >> described community arrangement if established? Something else? >> > > It would be good to also include in the proposal how IP will be > treated. By my reading of the iCLA this would not be covered, since > it is not an Apache list. We'd need to make some other agreement, > take it to legal-discuss, etc. I'm not so sure. ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible. If the shared security group is not producing compatible IP in response to a security threat that is a different problem. If it happens often then ooo-security will need to discuss this with ooo-private. We can make it a mission statement of this group to help all the peers produce fixes that are compatible with their licenses. I don't think we can guarantee all individuals on the team will be able to always do so. Requiring such an affirmation is clearly a blocker for some individual's participation. Regards, Dave > >> I think that would be essential to bringing this to a successful conclusion. >> >> -----Original Message----- >> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] >> Sent: Tuesday, October 25, 2011 15:45 >> To: 'ooo-dev@incubator.apache.org' >> Cc: 'Dave Fisher' >> Subject: RE: [proposal] Neutral / shared security list ... >> >> Dave, if you are going to do that, just relabeling a thread is not helpful. >> >> Please compose a specific concrete proposal under a [DISCUSS], and announce >> the duration and end-time for a lazy consensus at the top. >> >> Give it at least 3 full 24-hour calendar days. >> >> I don't have any sense that there is alignment yet, but there may be in that >> time and I am happy to be mistaken. Then at the end, if there is a >> consensus, please report what it is. >> >> - Dennis >> >> -----Original Message----- >> From: Dave Fisher [mailto:dave2w...@comcast.net] >> Sent: Tuesday, October 25, 2011 15:35 >> To: ooo-dev@incubator.apache.org >> Cc: flo...@documentfoundation.org >> Subject: Re: [proposal] Neutral / shared security list ... >> >> Hi - >> >> Sorry to reply to myself. >> >> Even though there are choices in this email. Please view it as a proposal. >> Where we are seeking lazy consensus. >> >> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: >> >>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: >>> >>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <dave2w...@comcast.net> >>>> wrote: >>>> >>>>> >>>>> Agreed. We need to pick a neutral domain name. office-security.org is >>>>> apparently free. >>>>> >>>>> Some institution needs to buy domain registration. I've been the volunteer >>>>> registrar for a social groups domain, it is a pain to transition. This >>>>> needs >>>>> to be an institution, it could be Team OOo? >>>>> >>>> >>>> I think they are too close to the matter. SPI exists specifically to hold >>>> assets in trust - perhaps they would hold the registration for us all? If >>>> we agree I'd be happy to volunteer to contact them. >>>> >>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are both >>>> on the Board at present. >>> >>> These are both interesting ideas. >> >> The proposal is to pick a domain and get registration Simon volunteers to >> help. >> >> >>> >>>> >>>> >>>>> >>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests >>>>> that the ASF could be that ISP for free. >>> >>> <slight snip/> >>> >>> And: >>> >>> <insert> >>> >>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: >>> >>> <snip/> >>> >>>> >>>> If we basically agree that such a list as outlined by me is a way to go, I >>>> am happy to ask a friend of mine who has a very good reputation in being a >>>> mail server, mailing list and security expert, with a very good track >>>> record, including all sorts of certifications. He is offering e-mail >>>> services as business. >>>> >>>> I just don't want to spread the name publically without asking him first, >>>> and I don't want to ask him, before we have some common understanding. :-) >>>> >>> >>> >>> </insert> >> >> The proposal is for the exiting securityteam to choose, the above are two >> possibilities. >> >> >>> >>> >>>>> >>>>> securityteam@oo.o is migrated to whatever the new list is, and those >>>>> people start administrating. >>>>> >>>>> I think it is very important for the public to know who all of the >>>>> projects >>>>> are on the shared ML. >> >> I propose that this shared security team provide a list of participating >> peers to the public. >> >>>>> >>>>> Are we done already :-) >>> >>> Let's let the world revolve to see if we have some Consensus. >> >> Revolve 3x or 72 hours. >> >> Regards, >> Dave >> >>> >>> Regards, >>> Dave >>> >>>>> >>>>> Regards, >>>>> Dave >>>>> >>>>>> >>>>>> That is fair to anyone, does not exclude anyone, does not benefit one >>>>>> over the other -- it's easy, simple, and the best way to go. Sure, >>>>>> everyone can create own aliases pointing to that list, but the core is >>>>>> the same, and that's what matters. >>>>>> >>>>>> If you folks now start complaining about we don't trust Apache, we can >>>>>> answer by complaining you don't trust TDF and so on. It's a horrible >>>>>> waste of time, it's lame, it does not help anyone, and it makes me doubt >>>>>> we're talking amongst adults, seriously. >>>>>> >>>>>> And, really, all this crap being tossed around about trustworthiness, >>>>>> upstream, downstream, code similarities and insults is worth not even >>>>>> the digital paper it's written on. >>>>>> >>>>>> I made a simple, plain, and easy proposal. Don't make things overly >>>>>> complicated, folks. >>>>>> >>>>>> Thanks for considering, >>>>>> Florian >>>>>> >>>>>> -- >>>>>> Florian Effenberger <flo...@documentfoundation.org> >>>>>> Steering Committee and Founding Member of The Document Foundation >>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108 >>>>>> Skype: floeff | Twitter/Identi.ca: @floeff >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Simon Phipps >>>> +1 415 683 7660 : www.webmink.com >>> >> >>
