On Oct 25, 2011, at 4:43 PM, Rob Weir wrote: > On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher <[email protected]> wrote: >> >> On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: >> >>> On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton >>> <[email protected]> wrote: >>>> Oh, and the most important part: >>>> >>>> In want way is the AOOo party to the consensus that is reached? That >>>> ooo-security (an agent of the PPMC, essentially) will participate in the >>>> described community arrangement if established? Something else? >>>> >>> >>> It would be good to also include in the proposal how IP will be >>> treated. By my reading of the iCLA this would not be covered, since >>> it is not an Apache list. We'd need to make some other agreement, >>> take it to legal-discuss, etc. >> >> I'm not so sure. >> > > Think of it this way: where else at Apache is it permissible for an > Incubation project to collaborate on project code on a private > non-Apache list, with no agreement on license, no mentor visibility, > and no audit trail for Apache members to inspect? This doesn't sound > like the kind of diligence Apache projects traditionally give to IP > issues everywhere else. We owe it to our users and ourselves to get > this right.
We only care about the code that actually makes it into AOOo. Only ooo-security members will be committing code fixes for AOOo security issues. > >> ooo-security is responsible for assuring that security fixes for AOOo are >> AL2 compatible. If the shared security group is not producing compatible IP >> in response to a security threat that is a different problem. If it happens >> often then ooo-security will need to discuss this with ooo-private. >> > > Putting the responsibility on ooo-security members in such an > untenable situation will only lead to the resignation of ooo-security > members. I think we need some way to enforce this. If it becomes a problem then we deal with it on ooo-private as a community problem. Either we'll need more PPMC on ooo-security or there will be a tangible issue to resolve. > > From what I'm reading, not even Apache committers who have signed the > iCLA are bound to the iCLA for contributions made on some ad-hoc, > private, non-Apache list. So? >> We can make it a mission statement of this group to help all the peers >> produce fixes that are compatible with their licenses. I don't think we can >> guarantee all individuals on the team will be able to always do so. >> Requiring such an affirmation is clearly a blocker for some individual's >> participation. >> > > I think then we need to weight having a smashing fun party with LO > hackers in a private, unauditable list with no license discipline > versus Apache's primary mission of producing software for public use > under the Apache 2.0 license. Code through Community. I'm trying to find a way to keep the larger community together. You are asserting that the list will be unauditable when the ASF is still a possible "ISP"? You are asserting a "smashing fun party" problem that is not visible to me. > > The alternative is to step back, realize that Florian has confused > what the PPMC position is on securityteam participation and take that > route. Since that would be an Apache list, AOOo committers would > already be covered. And we could cover the remaining users via a Terms > of Use statement for the list. I'm trying to get there, but let's not forget that others have raised the "domain neutrality" requirement. Regards, Dave > > -Rob > >> Regards, >> Dave >> >>> >>>> I think that would be essential to bringing this to a successful >>>> conclusion. >>>> >>>> -----Original Message----- >>>> From: Dennis E. Hamilton [mailto:[email protected]] >>>> Sent: Tuesday, October 25, 2011 15:45 >>>> To: '[email protected]' >>>> Cc: 'Dave Fisher' >>>> Subject: RE: [proposal] Neutral / shared security list ... >>>> >>>> Dave, if you are going to do that, just relabeling a thread is not helpful. >>>> >>>> Please compose a specific concrete proposal under a [DISCUSS], and >>>> announce the duration and end-time for a lazy consensus at the top. >>>> >>>> Give it at least 3 full 24-hour calendar days. >>>> >>>> I don't have any sense that there is alignment yet, but there may be in >>>> that time and I am happy to be mistaken. Then at the end, if there is a >>>> consensus, please report what it is. >>>> >>>> - Dennis >>>> >>>> -----Original Message----- >>>> From: Dave Fisher [mailto:[email protected]] >>>> Sent: Tuesday, October 25, 2011 15:35 >>>> To: [email protected] >>>> Cc: [email protected] >>>> Subject: Re: [proposal] Neutral / shared security list ... >>>> >>>> Hi - >>>> >>>> Sorry to reply to myself. >>>> >>>> Even though there are choices in this email. Please view it as a proposal. >>>> Where we are seeking lazy consensus. >>>> >>>> On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: >>>> >>>>> On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: >>>>> >>>>>> On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> Agreed. We need to pick a neutral domain name. office-security.org is >>>>>>> apparently free. >>>>>>> >>>>>>> Some institution needs to buy domain registration. I've been the >>>>>>> volunteer >>>>>>> registrar for a social groups domain, it is a pain to transition. This >>>>>>> needs >>>>>>> to be an institution, it could be Team OOo? >>>>>>> >>>>>> >>>>>> I think they are too close to the matter. SPI exists specifically to >>>>>> hold >>>>>> assets in trust - perhaps they would hold the registration for us all? >>>>>> If >>>>>> we agree I'd be happy to volunteer to contact them. >>>>>> >>>>>> It's also possible we could ask OSI to do it - Jim Jagielski and I are >>>>>> both >>>>>> on the Board at present. >>>>> >>>>> These are both interesting ideas. >>>> >>>> The proposal is to pick a domain and get registration Simon volunteers to >>>> help. >>>> >>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> An ISP for hosting the private ML needs to be selected. Dennis suggests >>>>>>> that the ASF could be that ISP for free. >>>>> >>>>> <slight snip/> >>>>> >>>>> And: >>>>> >>>>> <insert> >>>>> >>>>> On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: >>>>> >>>>> <snip/> >>>>> >>>>>> >>>>>> If we basically agree that such a list as outlined by me is a way to go, >>>>>> I am happy to ask a friend of mine who has a very good reputation in >>>>>> being a mail server, mailing list and security expert, with a very good >>>>>> track record, including all sorts of certifications. He is offering >>>>>> e-mail services as business. >>>>>> >>>>>> I just don't want to spread the name publically without asking him >>>>>> first, and I don't want to ask him, before we have some common >>>>>> understanding. :-) >>>>>> >>>>> >>>>> >>>>> </insert> >>>> >>>> The proposal is for the exiting securityteam to choose, the above are two >>>> possibilities. >>>> >>>> >>>>> >>>>> >>>>>>> >>>>>>> [email protected] is migrated to whatever the new list is, and those >>>>>>> people start administrating. >>>>>>> >>>>>>> I think it is very important for the public to know who all of the >>>>>>> projects >>>>>>> are on the shared ML. >>>> >>>> I propose that this shared security team provide a list of participating >>>> peers to the public. >>>> >>>>>>> >>>>>>> Are we done already :-) >>>>> >>>>> Let's let the world revolve to see if we have some Consensus. >>>> >>>> Revolve 3x or 72 hours. >>>> >>>> Regards, >>>> Dave >>>> >>>>> >>>>> Regards, >>>>> Dave >>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Dave >>>>>>> >>>>>>>> >>>>>>>> That is fair to anyone, does not exclude anyone, does not benefit one >>>>>>>> over the other -- it's easy, simple, and the best way to go. Sure, >>>>>>>> everyone can create own aliases pointing to that list, but the core is >>>>>>>> the same, and that's what matters. >>>>>>>> >>>>>>>> If you folks now start complaining about we don't trust Apache, we can >>>>>>>> answer by complaining you don't trust TDF and so on. It's a horrible >>>>>>>> waste of time, it's lame, it does not help anyone, and it makes me >>>>>>>> doubt >>>>>>>> we're talking amongst adults, seriously. >>>>>>>> >>>>>>>> And, really, all this crap being tossed around about trustworthiness, >>>>>>>> upstream, downstream, code similarities and insults is worth not even >>>>>>>> the digital paper it's written on. >>>>>>>> >>>>>>>> I made a simple, plain, and easy proposal. Don't make things overly >>>>>>>> complicated, folks. >>>>>>>> >>>>>>>> Thanks for considering, >>>>>>>> Florian >>>>>>>> >>>>>>>> -- >>>>>>>> Florian Effenberger <[email protected]> >>>>>>>> Steering Committee and Founding Member of The Document Foundation >>>>>>>> Tel: +49 8341 99660880 | Mobile: +49 151 14424108 >>>>>>>> Skype: floeff | Twitter/Identi.ca: @floeff >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Simon Phipps >>>>>> +1 415 683 7660 : www.webmink.com >>>>> >>>> >>>> >> >>
