If this is what the AOOo PPMC ends up deciding, what happens to the
specific securityteam@ email address?
Given that it's already plastered over the web, I think it would be
useful to have it forward to ooo-security@, so that at least the
relevant AOOo security experts can get any reports that go there, and
can ensure they inform any other relevant parties by your method below.
- Shane
On 10/25/2011 12:08 PM, Rob Weir wrote:
There is an easy way to avoid all the trust issues with regards to
shared mailing lists. Don't have such a list. Trust individuals.
This proposal takes this approach.
1) The AOOo PMC solicits the names of security contacts from related
projects who wish to be consulted related to pre-disclosure
coordination related to analysis and resolution of reported security
vulnerabilities. Names of individuals are preferred over opaque
mailing lists. Trust can be established based on a PGP/GPG web of
trust. These names and addresses are stored confidentially in the
PPMC's private SVN directory.
2) The AOOo security team reaches out to these contacts, as
appropriate,v ia their preferred contact mechanism, to coordinate on
specific vulnerabilities. We (Apache) would cc ooo-security on our
external emails, as required by Apache policy [1].
3) Other groups would be encouraged to reach out to AOOo in similar
circumstances via our preferred contact mechanism, ooo-security.
4) This fully allows targeted collaboration on specific issues, via
each project's preferred contact mechanism, without requiring the
maintenance of an additional email list.
5) If we want to discuss security in general, then that can/should
happen on public dev lists. That public discussion could occur
anywhere.
[1]: http://www.apache.org/security/committers.html
