On Mon, Dec 12, 2011 at 7:07 PM, Dennis E. Hamilton <[email protected]> wrote: > I meant an inter-project list, not an intra-project list. >
You said, "OpenOffice-ecosystem public discuss list" That is perfectly fine for ooo-dev. Any other project that is serious about the "OpenOffice ecosystem" will already have members subscribed to ooo-dev. This is where the project has its grand conversation. This is where the work happens. This is where consensus is reached. -Rob > -----Original Message----- > From: Rob Weir [mailto:[email protected]] > Sent: Monday, December 12, 2011 14:05 > To: [email protected] > Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list) > > On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton > <[email protected]> wrote: >> I don't have any doubts about Apache-wide handling of CVEs, and guidance to >> security teams within Apache projects is complete and comprehensive. >> >> I was thinking more about an OpenOffice-ecosystem public discuss list where >> the various security teams for OPenOffice.org code-based products can work >> out mutual agreements on security issues and the CVEs that impact common >> features. It should be separate from the private, sensitive lists that are >> only for reports of security issues. >> > > If it is not private, then how about here on ooo-dev? > > Although one could imagine a set of additional list for every dev > specialization in the project, I'm not sure we really need a separate > public list for security. But once you get started, it is hard to > stop: security, then qa, localization, performance, accessibility, UI, > doc, help, install, etc.. Creating lists and putting boxes around > things is very clean and logical. I assume that is how OOo ended up > with 300+ of them. > >> - Dennis >> >> -----Original Message----- >> From: Daniel Shahaf [mailto:[email protected]] >> Sent: Monday, December 12, 2011 11:27 >> To: Dennis E. Hamilton >> Cc: [email protected] >> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce >> list) >> >> Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800: >>> PS: It might be nice to have a single public place to discuss just >>> these practices across the family without deflecting the reporting >>> lists from their focused purpose with regard to receiving and >>> assessing vulnerability and exploit reports. Although I think one >>> would be useful to have, there does not seem to be much interest on >>> the part of the various security teams. >>> >> >> If you want to have an Apache-wide discussion about how to handle CVE's >> I'm sure there's an existing list appropriate for that. >> [ ... ] >> >
