date:20111025

On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote:


 If libreoffice encourages, but not requires, AL2
 for stuff in the core package, that would be a huge
 advance to get a bit nearer both camps.


Given licenses are the expression of the ethos of a community, it's
disingenuous and divisive to assume any community will drop its governance
approach like this, Pedro. It translates as the path to collaboration is
your surrender; we can negotiate once you've done that.  You make it sound
so innocent, too, by missing out the other requirement that Apache would
have for contributors to sign an ICLA and thus join Apache :-)

S.

Re: Neutral / shared security list ...

Hi Dave,

On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
 Not sure how much this is like your original proposal, but maybe the
 following is acceptable:
 
 (1) The securityt...@openoffice.org continues.

As mentioned, not happy about an openoffice.org domain; LibreOffice is
not openoffice.org, that is not really neutral.

 (2) The membership of securityteam ML should be open to individuals
 and forks/downstreams as selected by the ML membership.

Fine - though I'd characterise AOOoI as a fork too if this
is used as a loaded term.

 (3) The securityteam ML moderators are selected from the
 individual membership of the securityteam ML.

Fine.

 (4) The securityteam ML is nominally under the governance of the
 ASF - either the AOOo podling PPMC, the Apache Security Team, or
 even the Foundation Board. I think the AOOo podling PPMC should
 be acceptable, but we can ask the other entities if that is not
 is not neutral enough. We may ask the TDF to neutrally host some
 component and it would make sense for each entity to trust the
 neutrality of the other entity (Rob's real point).

Totally un-acceptable, I'm sorry. The Apache project is by no means
neutral. The decision to take on AOOoI and the actions of that project
are its responsibility.

 (5) No iCLAs are required.

Of course.

 (6) A set point for membership is determined when at least
 AOOo, TDF, and any other OOo fork/downstreams who might
 appear within a reasonably short time period. The deadline
 would need to be agreed.

I would not have a process - we should just include everyone competent
who has a reason to be there; that is normally fairly easy to work out
relationally; if not the moderators can thrash it out. If it is a
multi-vendor, neutral list I don't envisage controversy there.

 (7) The securityt...@openoffice.org ML will be hosted by the
 ASF when the MX for openoffice.org is moved to ASF Infrastructure.

Hosting by the ASF is by no means ideal, but perhaps compromise here is
reasonable.

 I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?

We built our own new infrastructure for that.

So - I am still fairly firmly convinced that this security thing is not
going to pan out. Here is my potted history of it:

* initial request for continuing the traditional,
  friendly cross membership of security lists
+ turned down at AOOoI: Apache Committers only
* requests for a neutral list with neutral name turn into:
+ ASF  openoffice.org -are-neutral-; proof by assertion
* more compromise proposals arrive
+ these have high level ASF governance hard-wired

This doesn't make it seem like we're going anywhere productive, which
is fine - there is no huge problem with having two separate public
facing security lists that can have cross membership on them.

Since there is no TDF affiliated admin for the currently suggested,
Apache controlled, 'neutral' security list, extracting a membership list
of that would be appreciated - so we can mirror it in a suitable other
place.

I'm also minded to consider the relative grief of endlessly re-hashing
this issue vs. actually fixing whatever bugs are found. Can we not just
move on.

All the best,

Michael.

-- 
michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Neutral / shared security list ...

Hi Rob,

On Sat, 2011-10-22 at 22:59 -0400, Rob Weir wrote:
 I just noticed that the LO help website is heavily linked into the OOo wiki.

Thanks for the report :-)

 http://www.google.com/search?q=site%3Ahelp.libreoffice.org+link%3Awiki.services.openoffice.org

About 732,000 results

Looks impressive; then again this is because we have multiple versions
of the help on-line, translated into multiple languages. I append the
list of 24 dangling links we havn't noticed and migrated at the end,
generated with a tool closer to home:

cd helpcontent2
git grep 'services.openoffice.org' | sed 's/.*http:\/\///' | sed s/\.*// | sed 
's/.*//' | sort | uniq | wc -l
24

Though perhaps I screwed that up; we should certainly update those
twenty four links to have a consistent set of help based on our
infrastructure.

 Again, we're very pleased to help TDF/LO in this area, by ensuring the
 long-term availability of these pages, as they are migrated over to
 Apache control and management.

Thank you.

 But I have not heard anyone complaining that the wiki is not sufficiently
 neutral because it is going to Apache

I'm sorry you missed that: the wiki is not sufficiently neutral because
it is going to Apache.

Of course, in the abstract I applaud the best of brothers sentiment,
and it plays very well - the reality presented daily doesn't match this.
Obviously I should write more on that clearly since it seems to be
invisible to some.

All the very best,

Michael.

extensions.services.openoffice.org
extensions.services.openoffice.org/
extensions.services.openoffice.org/dictionary
extensions.services.openoffice.org/project/pdfimport
wiki.services.openoffice.org/mwiki/index.php?title=Calc/Features/JIS_and_ASC_functions
wiki.services.openoffice.org/wiki/Accessibility
wiki.services.openoffice.org/wiki/Database
wiki.services.openoffice.org/wiki/Documentation/BASIC_Guide
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Adding_More_Languages
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_CONVERT_ADD_function
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_LINEST_function
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_WEIBULL_function
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_ZTEST_function
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Conditional_Counting_and_Summation
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Defining_a_Data_Range
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Regular_Expressions_in_Calc
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Regular_Expressions_in_Writer
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Setting_up_a_Style_for_Numbering_Lines_in_Code_Listings
wiki.services.openoffice.org/wiki/Documentation/How_Tos/Spellchecking_in_More_Languages
wiki.services.openoffice.org/wiki/Documentation/OOoAuthors_User_Manual/Migration_Guide
wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
wiki.services.openoffice.org/wiki/Macros_in_Database_Documents
wiki.services.openoffice.org/wiki/MSA-Base_Faq
wiki.services.openoffice.org/wiki/Non_Breaking_Spaces_Before_Punctuation_In_French_(espaces_ins%C3%A9cables)

-- 
michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Neutral / shared security list ...


On 25 Oct 2011, at 02:55, Dave Fisher wrote:

 I tried to be ambiguous with fork/downstream. There is a relationship, and 
 whether it originates as a fork, upstream, downstream, or upside-down 
 relationship the relationship *IS* a *PEER* relationship. (auf Deutsch, ist 
 klar?)

:-)  I just want to make clear that, listening to both sides of this issue, it 
is very easy (on both sides) for people to use language that is unintentionally 
inflammatory and then treat the other party as at fault when they react to it...

 So, this could be a true point of co-operation, there was a thread about this 
 and it did have some good ideas.
 
 Extensions and especially templates are likely to compatible.

This isn't a given. By the time AOOo makes an end-user release, there are 
likely to be substantial differences and a shared  add-ons repo would probably 
need to distinguish strongly between the two projects. Still worth considering 
though, I agree.

 Given the licensing issues with Apache hosting it does make more sense for 
 the TDF to host these.

TDF won't host closed extensions though, so the combined (TDF + Apache) repo 
would still hold less than the current repo.

 No technical reasons why the openoffice.org DNS for these couldn't point to 
 servers hosted by the TDF.

Maybe this is a compromise solution for the security list too?  make it 
coordinat...@security.openoffice.org and point the MX at a TDF server?

S.

Re: working on a OpenOffice roadmap

2011-10-25 Thread Ian Lynch

On 25 October 2011 11:28, Simon Phipps si...@webmink.com wrote:

 On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote:

 
  If libreoffice encourages, but not requires, AL2
  for stuff in the core package, that would be a huge
  advance to get a bit nearer both camps.

 Given licenses are the expression of the ethos of a community, it's
 disingenuous and divisive to assume any community will drop its governance
 approach like this, Pedro. It translates as the path to collaboration is
 your surrender; we can negotiate once you've done that.  You make it sound
 so innocent, too, by missing out the other requirement that Apache would
 have for contributors to sign an ICLA and thus join Apache :-)


I didn't interpret it like that.  From a practical point of view AL2 can be
used and converted downstream, it's not possible for LGPL to be used AL2 so
the only way code can be shared is via AL2. If some developers feel strongly
about that, they can contribute only to the LGPL licensed pool. If some are
not so concerned they can contribute to AL2 because it will work with both.
Ok that is effectively a commit to Apache, but since all Apache commits are
potentially reusable in a LGPL project, why is that seen as such a one way
traffic thing? Really Pedro is simply saying encourage people that don't
feel too strongly about it to us the AL2 license. If that is a problem I
doubt there is much point in taking the discussion further.

-- 
Ian

Ofqual Accredited IT Qualifications (The Schools ITQ)

www.theINGOTs.org +44 (0)1827 305940

The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth,
Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and
Wales.

Re: working on a OpenOffice roadmap

Hi Simon;

I try to give people the benefit of the doubt. Ethos is
something that goes well beyond a license, and once you
read the iCLA its not an imposible thing to ask ( you
signed it), and its surely not what SUN had in place.

That said, and its something I have argued about
publicly with Rob, while the iCLA is a requisite to
become a committer, it is not a requisite to contribute.

Furthermore, once we start doing releases (and trust me,
we will get there) they are likely to start including AL2
code anyways.

Am I naive? Yes. I was never part of the previous OOo
community led by SUN so perhaps not having that trauma
helps me see things a lot simpler than they are.

There is an evident lack of confidence in us over there
and as I said before, in private, we cant start activities
like a shared security list if there is no confidence first.

I stand to the principle that we are neutral, and that
every vendor or community member is free to join or leave
whenever they want

Pedro.

--- On Tue, 10/25/11, Simon Phipps si...@webmink.com wrote:

 
 On Mon, Oct 24, 2011
 at 8:20 PM, Pedro Giffuni p...@apache.org
 wrote:
 
 
 
 
 
 If libreoffice encourages, but not requires, AL2
 
 for stuff in the core package, that would be a huge
 
 advance to get a bit nearer both camps.
 
 Given licenses are the expression of the ethos of a
 community, it's disingenuous and divisive to assume any
 community will drop its governance approach like this,
 Pedro. It translates as the path to collaboration is
 your surrender; we can negotiate once you've done
 that.  You make it sound so innocent, too, by missing
 out the other requirement that Apache would have for
 contributors to sign an ICLA and thus join Apache :-)
 
 
 
 S.

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

Hi Dennis, *,

On Tue, Oct 25, 2011 at 2:04 AM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
 I read somewhere, and I don't know where, that ASF did not want torrents to 
 be used.
 I'm guessing that the issue is related to ensuring the integrity and 
authenticity of
 packaged releases.

That doesn't make sense - integrity is assured by bittorrent by
providing sha1sums for each  chunk. And authenticity can be assured
just like it is with regular releases - just include a corresponding
signature file within the torrent.

 I may have dreamed it or I am mixing this up with something else.

If those were the only reasons, then they were made-up arguments.

But bittorrent only makes sense for larger files anyway.

ciao
Christian

Re: working on a OpenOffice roadmap

On Tue, Oct 25, 2011 at 6:28 AM, Simon Phipps si...@webmink.com wrote:
 On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote:


 If libreoffice encourages, but not requires, AL2
 for stuff in the core package, that would be a huge
 advance to get a bit nearer both camps.


 Given licenses are the expression of the ethos of a community, it's

LO had no choice but to take LGPL.  So more necessity/inertia than
ethos.  And -- according to Michael -- when it thought that MPL might
be more acceptable TDF was quick to add MPL for new code
contributions.  This shows an ethos of flexibility.  This is a good
thing.  One option TDF/LO did not have at the time was  to take the
core OOo code under ALv2, an option they now have via the Oracle SGA's
to Apache.  It might make sense to evaluate the new possibilities,
including possibilities for collaboration, enabled by this change, a
change that was not even remotely foreseeable, and therefore was not
considered, when TDF/LO first started.

 disingenuous and divisive to assume any community will drop its governance
 approach like this, Pedro. It translates as the path to collaboration is
 your surrender; we can negotiate once you've done that.  You make it sound

This is obviously a touchy subject for you, Simon.  But please read
what Pedro wrote.  He said:

If libreoffice encourages, but not requires, AL2 for stuff in the
core package, that would be a huge  advance to get a bit nearer both
camps.

This is not asking for LO members to surrender or fall on their
swords.  It is suggesting that information be made available to LO
developers who might wish to voluntarily make their code available
under ALv2 as well as the existing LGPL/MPL.   Please correct me if
I'm wrong, but I had the impression that nothing at TDF/LO that would
prevent someone from doing this?

 so innocent, too, by missing out the other requirement that Apache would
 have for contributors to sign an ICLA and thus join Apache :-)


Signing the iCLA is not required for most patches.

Regards,

-Rob

 S.

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

On Mon, Oct 24, 2011 at 2:08 AM, Marcus (OOo) marcus.m...@wtnet.de wrote:

snip

 The problem is that the ASF do not want to host and provide services of
 special software for single projects. I can understand this as even the ASF
 infra is a team of volunteers and their time is limited as it is for all
 others.

I think this is a little open to misinterpretation. Hopefully a Mentor
will jump in but (until they do) I'll do my best to explain a little
bit more about the way infrastructure works here at Apache...

The infrastructure team at Apache is an independent, volunteer-led
self-organising community of experts. Apache delegates infrastructure
to this community, and provides resources to sustain their work[1].
When asking infrastructure for help, it's essential to remember this
and engage with them as peers with special expertise. Anyone arriving
with a solution or a request for a new service must expect to be
challenged to defend and refine their choice of solution.


To move back to the particular, this is a migration issue. A valuable
service is about to be closed and needs to be migrated. Whether this
is right long term solution is open to debate but accepting a service
for a temporary period doesn't raise the issues that committing to
provide a similar service for all projects forever would. Please
explain the problem to infrastructure and ask for their help to find a
solution.

Robert

[1] The team has a budget and some flexibility to bring additional
resources - included hired help - when needed. Apache has adequate
financial resources but is culturally resistant to committing to
additional spending without good reason. Apache values independence.
Dependency on funding risks that independence.

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

The issue with bittorrent is that it has become nearly illegal in
some countries. I heard about someone being visited by the
police in Italy.

I do think it is an option but alternate means must be provided.

Pedro.

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

2011-10-25 Thread Rory O'Farrell

On Tue, 25 Oct 2011 05:04:08 -0700 (PDT)
Pedro Giffuni p...@apache.org wrote:

 The issue with bittorrent is that it has become nearly illegal
 in some countries. I heard about someone being visited by the
 police in Italy.
 
 I do think it is an option but alternate means must be provided.

On the Forum we frequently advise users who have a problem
downloading to use a torrent; this seems to cure recalcitrant
download problems, such as slow (modem) or noisy connections.
-- 
Rory O'Farrell ofarr...@iol.ie

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier
cl...@openoffice.org wrote:
 Hi Dennis, *,

 On Tue, Oct 25, 2011 at 2:04 AM, Dennis E. Hamilton
 dennis.hamil...@acm.org wrote:
 I read somewhere, and I don't know where, that ASF did not want torrents to 
 be used.
 I'm guessing that the issue is related to ensuring the integrity and 
authenticity of
 packaged releases.

 That doesn't make sense - integrity is assured by bittorrent by
 providing sha1sums for each  chunk. And authenticity can be assured
 just like it is with regular releases - just include a corresponding
 signature file within the torrent.

Better to download the signature over HTTPS but yes, I see no reason
why this approach could not be made to work

 I may have dreamed it or I am mixing this up with something else.

 If those were the only reasons, then they were made-up arguments.

When engaging with Infrastructure, expect to be challenged and to have
to defend any proposal. These lists are open, so expect a range of
cluefulness from contributors. The best way to impress the core
infrastructure team is for plenty of clueful people from a project to
show up and defend the proposal with well research arguments. Giving
up and going away is the surest way to lose the argument...

Robert

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

On Tue, Oct 25, 2011 at 1:04 AM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
 I read somewhere, and I don't know where, that ASF did not want torrents to 
 be used.

The meaning and force of this statement is hard to judge without a full context

Apache has surprisingly and confusingly little policy, and most of
that should be written down

Apache encourages wide participation on open lists. Conventionally,
opinions expressed on lists are just personal opinions - unless backed
by evidence or clear marking[1]. So this is just my personal opinion
;-)

Robert

[1] wearing a hat :-) http://www.apache.org/foundation/how-it-works.html

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

2011-10-25 Thread Gianluca Turconi


Il 25/10/2011 14.04, Pedro Giffuni ha scritto:

The issue with bittorrent is that it has become nearly illegal in
some countries. I heard about someone being visited by the
police in Italy.

There is always somebody visited by our Polizia Postale. ;-)

Indeed, the software is legal, of course. It's the way a user utilizes 
it that may be illegal.


BTW, I've seeded LibreOffice for a couple of months and Torrent is a 
useful tool that helps to distribute among users the bandwidth needed 
for large downloads.


REgards,

Gianluca

--
Lettura gratuita o acquisto di libri e racconti di fantascienza,
fantasy, horror, noir, narrativa fantastica e tradizionale:
http://www.letturefantastiche.com/

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

Hi Robert, *,

On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin
robertburrelldon...@gmail.com wrote:
 On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier
 cl...@openoffice.org wrote:
 [...]
 That doesn't make sense - integrity is assured by bittorrent by
 providing sha1sums for each  chunk. And authenticity can be assured
 just like it is with regular releases - just include a corresponding
 signature file within the torrent.

 Better to download the signature over HTTPS but yes, I see no reason
 why this approach could not be made to work

With signature I meant a real signature (gpg signature), not a md5sum
or sha1sum file.
When it is a cryptographic signature, it doesn't matter how you
download it, as it cannot be faked.
(of course the user has to get the proper key, but that's a different issue)


 I may have dreamed it or I am mixing this up with something else.

 If those were the only reasons, then they were made-up arguments.

 When engaging with Infrastructure, expect to be challenged and to have
 to defend any proposal. These lists are open, so expect a range of
 cluefulness from contributors. The best way to impress the core
 infrastructure team is for plenty of clueful people from a project to
 show up and defend the proposal with well research arguments. Giving
 up and going away is the surest way to lose the argument...

With OOo the tracker network[1] was run independently anyway and not
hosted on the Oracle or OSUOSL hosted infrastructure. The main tracker
was Mike's at utwente, and that mirror also was the initial/main seed
for all the releases. There were other trackers linked together via a
tracker-hub (backup tracker as well as the hub were provided by
Harold).

So it is not a matter of infrastructure, but a matter of policy.

There's no need for the mechanism to change in my opinion. (torrents
are generated automatically as soon as they hit the mirror).

So if apache wants to setup their own bt network, they need one
capable machine (in terms of bandwidth) server to be the initial seed,
and one with almost no resources (can be the same machine of course)
to act as tracker.

[1] The trackers are *linked*, not separate, all trackers know about
every peer, so there is
no swarm fragmentation, and you got the fallback in case on of the
trackers is down
(TDF only uses one single tracker, but webseeds (traditional http/ftp
URLs) are included, so even when the tracker is down, the clients can
still use regular mirrors and DHT.)

ciao
Christian

Draft mailing list notification post

On the wiki here:

https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

Feel free to make changes directly on the wiki, or suggest them as
responses to this note.  I don't think we want to overburden the
reader with a recitation of migration facts, but instead motivate them
to take the desired actions.  But since this will be for many the
first note they officially receive from the PPMC, it should probably
have some introductory information, and a welcome and invitation to
get involved (stay involved) with the project.

-Rob

Re: working on a OpenOffice roadmap

2011-10-25 Thread Shane Curcuru

Thank you Pedro for the very well thought out and politely presented 
explanation of your point.  It's very helpful to have this kind of 
honest and detailed discussion, especially when tempers run high, and 
doubly so when there's such a clear (and unfortunate) distrust between 
AOOo community members and folks working on TDF/LO.


Personally, I agree: the point is that if TDF/LO also encourages / 
documents as an additional optional step / even simply allows in some 
obvious public way for people submitting patches that could apply to 
AOOo under both licenses, that would be a big win for the ecosystem. 
AOOo code will already be fully useable by LO, so I find it hard to see 
what the harm is in allowing TDF/LO contributors to know about the 
option of dual licensing specific patches under the AL.


This is certainly not something aimed at hurting LO, and certainly 
doesn't apply to new or changed work in LO.  But it would be nice to 
discuss the possibility of having code that both projects can use 
without getting everyone's hackles up.  Especially since the alternative 
seems to be that Simon (I think) is saying he'd effectively rather see 
everyone contributing code exclusively to one project, and explicitly 
not allowing it to be contributed into the other.


This is exactly why I believe in the Apache license.  I believe that 
*people* should be free.  Users of our Apache software should be free to 
use it as they see fit.  If they contribute changes back, that's great - 
but what's important for open source is that humans now have access to a 
wealth of powerful software for free that they can use openly, easily, 
and for their own purposes, without undue restrictions.


- Shane

P.S. and really, while the iCLA is a required step to become a committer 
at Apache, it really shouldn't be such a large club to hit us over the 
head repeatedly.  It's not needed for most patches like I thought we 
were discussing here.


On 10/25/2011 7:25 AM, Pedro Giffuni wrote:

Hi Simon;

I try to give people the benefit of the doubt. Ethos is
something that goes well beyond a license, and once you
read the iCLA its not an imposible thing to ask ( you
signed it), and its surely not what SUN had in place.

That said, and its something I have argued about
publicly with Rob, while the iCLA is a requisite to
become a committer, it is not a requisite to contribute.

Furthermore, once we start doing releases (and trust me,
we will get there) they are likely to start including AL2
code anyways.

Am I naive? Yes. I was never part of the previous OOo
community led by SUN so perhaps not having that trauma
helps me see things a lot simpler than they are.

There is an evident lack of confidence in us over there
and as I said before, in private, we cant start activities
like a shared security list if there is no confidence first.

I stand to the principle that we are neutral, and that
every vendor or community member is free to join or leave
whenever they want

Pedro.

--- On Tue, 10/25/11, Simon Phippssi...@webmink.com  wrote:



On Mon, Oct 24, 2011
at 8:20 PM, Pedro Giffunip...@apache.org
wrote:





If libreoffice encourages, but not requires, AL2

for stuff in the core package, that would be a huge

advance to get a bit nearer both camps.

Given licenses are the expression of the ethos of a
community, it's disingenuous and divisive to assume any
community will drop its governance approach like this,
Pedro. It translates as the path to collaboration is
your surrender; we can negotiate once you've done
that.  You make it sound so innocent, too, by missing
out the other requirement that Apache would have for
contributors to sign an ICLA and thus join Apache :-)



S.

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 6:47 AM, Michael Meeks michael.me...@suse.com wrote:
 Hi Dave,

 On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
 Not sure how much this is like your original proposal, but maybe the
 following is acceptable:

 (1) The securityt...@openoffice.org continues.

        As mentioned, not happy about an openoffice.org domain; LibreOffice is
 not openoffice.org, that is not really neutral.


I think part of the confusion here is that some of us are talking
about trust and you are talking about neutrality and many of us
are conflating the two.

For example:   I think we would agree that the United Nations building
in NYC is a neutral venue.  But I wouldn't want to accidentally leave
my wallet in the rest rooms there.  Neutrality is not the same as
trustworthy.

And even with trust we're not really saying what we think that means.
Are we talking about verified identities, a web of trust that can be
confirmed via digital signatures?  Or trust in terms of confidently
belief that we're not going to stab each other in the back?
Obviously the later form of trust is independent of the neutrality of
the venue.  It is trust of individuals and their actions, not trust of
neutral venues.  (Many countries have been stabbed in the back at the
UN)

I'd recommend that we seek trust, and do so via transparency.  The
subscriber list of securityteam should be made public.  Let's
demonstrate that there is no boogeyman hiding in the shadows.  Let's
show that the members are well-known members of the AOOo and LO
communities, as well as security experts from other vendors and Linux
distros.

We have a common goal - improving security for our users.  Neutrality
then comes when all parties are represented and able freely to express
their views, like at the UN, even though it is in the USA.   The rest
is just community practice, and we should have enough respect for the
community in that list -- once we understand better who is on that
list -- to establish their own rules and norms of behavior.  I don't
think we want to dictate from above how the list operates, something
we have hesitated to do for any other list in this project.

In the end, trust and neutrality are complex social phenomena.  If you
try to reduce this complexity to an IP address (or a street address)
then you will fail every time.

-Rob

FAQ on patch contributions

Something we talked about a while ago, but never did.  An FAQ on how
to submit a patch to the project.  Obviously, we have many project
members who have figured this out.  But there may be others who now or
in the future would benefit from a simple write up.

I was thinking of taking as a base, this page from Apache HTTP, How
to Contribute Patches to Apache:

http://httpd.apache.org/dev/patches.html


A few questions:


1) If someone uses the git bridge to the repository, does git diff
produce a patch in the same format as svn diff?  In other words, are
they compatible?

2) Do we have a strong preference for whether patches are submitted to
the ooo-dev list or via Bugzilla?  Or are both acceptable?

3) It is clear that someone submitting a patch to BZ does so under
ALv2.  It is not so clear for patches on ooo-dev, unless they state so
explicitly, right?

4) Any other things we should mention?

-Rob

Fwd: odt2braille on the Mac

2011-10-25 Thread Bert Frees


Hi all,

My name is Bert Frees. I'm the developer of odt2braille, the Braille 
plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time 
ago I raised an issue on the old developer list (see e-mail below), but 
I got no reaction. I'm bringing it up again on this list in the hope 
somebody here can help me out. I'm not a Mac expert at all, but I get a 
lot of requests for Mac support. A lot of people would be very happy if 
this got solved.


Thanks in advance,
Bert Frees

--
Bert Frees
Katholieke Universiteit Leuven
Dept. Elektrotechniek - ESAT - SCD
Onderzoeksgroep Documentarchitecturen
Kasteelpark Arenberg 10 bus 2442
B-3001 Heverlee-Leuven
België



 Original Message 
Subject:odt2braille on the Mac
Date:   Mon, 16 May 2011 11:55:37 +0200
From:   Bert Frees bertfr...@gmail.com
To: d...@openoffice.org


Hello,

I'm new to this mailing list. My name is Bert Frees. I am the developer 
of odt2braille, the OpenOffice.org plugin for printing and exporting 
Braille. The website is http://odt2braille.sourceforge.net/index.html.


I'm trying to make this plugin available on the Mac, but I've been 
puzzling on a bug for some time now and I'm really stuck. I hope there 
is somebody on this list who is familiar with OOo on the Mac, and who 
knows what might be the problem.


I'm using javax.print.PrintServiceLookup 
http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html 
to look up the default printer device. It works fine on Windows, but on 
Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related 
because the code runs fine when it is not embedded in an OOo extension.


This is the code:

javax.print.PrintService[] printers = 
javax.print.PrintServiceLookup.lookupDefaultPrintService();



Thanks,
Bert

Re: [Proposal] Shutting down legacy OOo mailing lists

On Mon, Oct 17, 2011 at 11:35 AM, Dave Fisher dave2w...@comcast.net wrote:

snip
 In the three to four weeks that it will take to get to step (7) AOOo and 
 Apache Infra should have control over the openoffice.org MX records. An 
 easier alternative would be to decide what MX services we want to continue on 
 openoffice.org and do the MX migration at this point. Even if it will bounce 
 and/or forward email.


Can we talk through that option a little more?  Take a legacy list
like us...@openoffice.org.  If we try to handle this via the MX
record, then that applies to the entire domain, all mailing lists as
well as forwarding email account at openoffice.org.  Is that correct?
In other words, the MX record is at the level of openoffice.org, not
at the level of us...@openoffice.org.

So in the MX approach, is there any way to do a more gradual
migration, or do we need to do it all at once, including the
forwarding accounts?  I know for web traffic, there is some
flexibility at the subdomain level.  But these are all the same
domain, just differing by account.

Suppose there is some way to get over that.  Then we could create
identically named (or predictably mappable) equivalent lists using
ezmlm.  But since we're not able to automatically sign users up, the
traffic forwarding would all end up in the moderator queues.  Of
course, these could be passed through.  We could even white list the
addresses.  (or black list in the case of spammers)  But it doesn't
get people signed up on the ezmlm list.

Where this might be useful is for cases where a legacy email list
address is on a third party page, or maybe even in our own legacy list
archives.  Someone does a Google search and sees something that says,
If you run into this problem, please send an email to
f...@openoffice.org.  Some degree of forwarding for these emails would
ensure such users don't get lost.

But we can't simple forward *.openoffice.org to a
ooo-legacy-bucket.i.a.o email list, since many of the *.openoffice.org
are personal forwarding addresses and contain personal content.  And
some lists are private lists.  So any forwarding scheme would need to
be very sensitive to these details and would likely need an actual
enumeration of the 300 or so lists and the unknown number of official
contact emails (webmaster, etc.) that we want to forward.

Do you see that path in a similar way?  Or do you see a simpler way of
doing that?

-Rob

Re: FAQ on patch contributions



--- On Tue, 10/25/11, Rob Weir robw...@apache.org wrote:


 Something we talked about a while
 ago, but never did.  An FAQ on how
 to submit a patch to the project.  Obviously, we have
 many project
 members who have figured this out.  But there may be
 others who now or
 in the future would benefit from a simple write up.
 
 I was thinking of taking as a base, this page from Apache
 HTTP, How
 to Contribute Patches to Apache:
 
 http://httpd.apache.org/dev/patches.html
 
 
 A few questions:
 
 
 1) If someone uses the git bridge to the repository, does
 git diff
 produce a patch in the same format as svn diff?  In
 other words, are
 they compatible?
 
 2) Do we have a strong preference for whether patches are
 submitted to
 the ooo-dev list or via Bugzilla?  Or are both
 acceptable?
 

Both are acceptable and are covered by clause 5 of the
AL2. I personally prefer bugzilla because the list
sometimes filters patches.




 3) It is clear that someone submitting a patch to BZ does
 so under
 ALv2.  It is not so clear for patches on ooo-dev,
 unless they state so
 explicitly, right?
 
FWIW, bugzilla reminds ppl of the AL2 when you create
an account. If you want to add a similar notice when
people subscribe to the list thats OK, but I dont
want the extra license noise in the lists to specify
what should be obvious.

 4) Any other things we should mention?
 
To use the [patch] or [code] tag when sending
patches.

Pedro.

Re: Neutral / shared security list ...

2011-10-25 Thread Martin Hollmichel


Am 23.10.2011 04:37, schrieb Rob Weir:

For example, AOOo currently does not have a Pootle
server.  Is that an area where TDF this time can help AOOo?
for the records, the old pootle server is lying under my desk, I would 
be glad to see that server online again,


Martin

Re: odt2braille on the Mac

2011-10-25 Thread Alexandro Colorado

hi, i think it might be better to usee the uno api for the printing services.
http://wiki.services.openoffice.org/wiki/API/Samples/Java/Office/DocumentHandling#DocumentPrinter

On 10/25/11, Bert Frees bertfr...@gmail.com wrote:
Hi all,

My name is Bert Frees. I'm the developer of odt2braille, the Braille
plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time
ago I raised an issue on the old developer list (see e-mail below), but
I got no reaction. I'm bringing it up again on this list in the hope
somebody here can help me out. I'm not a Mac expert at all, but I get a
lot of requests for Mac support. A lot of people would be very happy if
this got solved.

Thanks in advance,
Bert Frees

--
Bert Frees
Katholieke Universiteit Leuven
Dept. Elektrotechniek - ESAT - SCD
Onderzoeksgroep Documentarchitecturen
Kasteelpark Arenberg 10 bus 2442
B-3001 Heverlee-Leuven
België

Original Message
Subject: odt2braille on the Mac
Date: Mon, 16 May 2011 11:55:37 +0200
From: Bert Frees bertfr...@gmail.com
To: d...@openoffice.org

Hello,

I'm new to this mailing list. My name is Bert Frees. I am the developer
of odt2braille, the OpenOffice.org plugin for printing and exporting
Braille. The website is http://odt2braille.sourceforge.net/index.html.

I'm trying to make this plugin available on the Mac, but I've been
puzzling on a bug for some time now and I'm really stuck. I hope there
is somebody on this list who is familiar with OOo on the Mac, and who
knows what might be the problem.

I'm using javax.print.PrintServiceLookup
http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html
to look up the default printer device. It works fine on Windows, but on
Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related
because the code runs fine when it is not embedded in an OOo extension.

This is the code:

javax.print.PrintService[] printers =
javax.print.PrintServiceLookup.lookupDefaultPrintService();

Thanks,
Bert

--
Alexandro Colorado
OpenOffice.org Español
http://es.openoffice.org

Re: Neutral / shared security list ...


On Oct 25, 2011, at 7:36 AM, Martin Hollmichel wrote:

 Am 23.10.2011 04:37, schrieb Rob Weir:
 For example, AOOo currently does not have a Pootle
 server.  Is that an area where TDF this time can help AOOo?
 for the records, the old pootle server is lying under my desk, I would be 
 glad to see that server online again,

Try contacting Andrew Rist, he may have a backup.

Regards,
Dave

Re: FAQ on patch contributions

2011-10-25 Thread Marcus (OOo)


Am 10/25/2011 04:31 PM, schrieb Pedro Giffuni:



--- On Tue, 10/25/11, Rob Weirrobw...@apache.org  wrote:



Something we talked about a while
ago, but never did.  An FAQ on how
to submit a patch to the project.  Obviously, we have
many project
members who have figured this out.  But there may be
others who now or
in the future would benefit from a simple write up.

I was thinking of taking as a base, this page from Apache
HTTP, How
to Contribute Patches to Apache:

http://httpd.apache.org/dev/patches.html


A few questions:


1) If someone uses the git bridge to the repository, does
git diff
produce a patch in the same format as svn diff?  In
other words, are
they compatible?

2) Do we have a strong preference for whether patches are
submitted to
the ooo-dev list or via Bugzilla?  Or are both
acceptable?



Both are acceptable and are covered by clause 5 of the
AL2. I personally prefer bugzilla because the list
sometimes filters patches.


+1

IMHO BZ seems to be the more logical part to host patches. Even when 
knowing the famous sentence If it doesn't happen on the list,  ;-)


When the Dev would write a short mail to the list with a link to the BZ 
issue, it would be perfect.



3) It is clear that someone submitting a patch to BZ does
so under
ALv2.  It is not so clear for patches on ooo-dev,
unless they state so
explicitly, right?


FWIW, bugzilla reminds ppl of the AL2 when you create
an account. If you want to add a similar notice when
people subscribe to the list thats OK, but I dont
want the extra license noise in the lists to specify
what should be obvious.


4) Any other things we should mention?


To use the [patch] or [code] tag when sending
patches.


Yes, would be helpful do differentiate right in the subject of mails.

Marcus

Re: FAQ on patch contributions

2011-10-25 Thread Shane Curcuru


Excellent stuff, and definitely needed.

On 10/25/2011 10:44 AM, Marcus (OOo) wrote:

Am 10/25/2011 04:31 PM, schrieb Pedro Giffuni:



--- On Tue, 10/25/11, Rob Weirrobw...@apache.org wrote:

...snip...

2) Do we have a strong preference for whether patches are
submitted to
the ooo-dev list or via Bugzilla? Or are both
acceptable?



Both are acceptable and are covered by clause 5 of the
AL2. I personally prefer bugzilla because the list
sometimes filters patches.


+1

IMHO BZ seems to be the more logical part to host patches. Even when
knowing the famous sentence If it doesn't happen on the list,  ;-)

When the Dev would write a short mail to the list with a link to the BZ
issue, it would be perfect.


+1 for encouraging Bugzilla patches, since once the project is 
comfortable with the BZ categories, etc. it's easier to track items.


See Also: ooo-iss...@incubator.apache.org, which is a publicly archived 
mailing list that all BZ status changes are mirrored to - very helpful 
if folks want to track bugs.  Some projects have that stuff come to the 
dev@ list, but here it's a separate issues@ list.


Archives are at both:
http://mail-archives.apache.org/mod_mbox/incubator-ooo-issues/

http://ooo.markmail.org/search/bugzilla+list:org%2Eapache%2Eincubator%2Eooo-issues


- Shane

Re: Neutral / shared security list ...

2011-10-25 Thread Martin Hollmichel


Hi all,

If both parties (ASF, TDF) agree, I could imagine that team openoffice 
is willing to provide funds for an independent location, but at the same 
time I'm wondering whether such neutral zone is wanted and makes sense ? 
What I really don't like to see is a third location for OpenOffice.org 
gets established, that would not be the right sign,


Martin

Am 25.10.2011 13:03, schrieb Simon Phipps:

On 25 Oct 2011, at 02:55, Dave Fisher wrote:


I tried to be ambiguous with fork/downstream. There is a relationship, and 
whether it originates as a fork, upstream, downstream, or upside-down relationship the 
relationship *IS* a *PEER* relationship. (auf Deutsch, ist klar?)

:-)  I just want to make clear that, listening to both sides of this issue, it 
is very easy (on both sides) for people to use language that is unintentionally 
inflammatory and then treat the other party as at fault when they react to it...


So, this could be a true point of co-operation, there was a thread about this 
and it did have some good ideas.

Extensions and especially templates are likely to compatible.

This isn't a given. By the time AOOo makes an end-user release, there are 
likely to be substantial differences and a shared  add-ons repo would probably 
need to distinguish strongly between the two projects. Still worth considering 
though, I agree.


Given the licensing issues with Apache hosting it does make more sense for the 
TDF to host these.

TDF won't host closed extensions though, so the combined (TDF + Apache) repo 
would still hold less than the current repo.


No technical reasons why the openoffice.org DNS for these couldn't point to 
servers hosted by the TDF.

Maybe this is a compromise solution for the security list too?  make it 
coordinat...@security.openoffice.org and point the MX at a TDF server?

S.

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier
cl...@openoffice.org wrote:
 Hi Robert, *,

 On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin
 robertburrelldon...@gmail.com wrote:
 On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier
 cl...@openoffice.org wrote:
 [...]
 That doesn't make sense - integrity is assured by bittorrent by
 providing sha1sums for each  chunk. And authenticity can be assured
 just like it is with regular releases - just include a corresponding
 signature file within the torrent.

 Better to download the signature over HTTPS but yes, I see no reason
 why this approach could not be made to work

 With signature I meant a real signature (gpg signature), not a md5sum
 or sha1sum file.
 When it is a cryptographic signature, it doesn't matter how you
 download it, as it cannot be faked.
 (of course the user has to get the proper key, but that's a different issue)

FWIW it's a defense in depth measure[1]

 I may have dreamed it or I am mixing this up with something else.

 If those were the only reasons, then they were made-up arguments.

 When engaging with Infrastructure, expect to be challenged and to have
 to defend any proposal. These lists are open, so expect a range of
 cluefulness from contributors. The best way to impress the core
 infrastructure team is for plenty of clueful people from a project to
 show up and defend the proposal with well research arguments. Giving
 up and going away is the surest way to lose the argument...

 With OOo the tracker network[1] was run independently anyway and not
 hosted on the Oracle or OSUOSL hosted infrastructure. The main tracker
 was Mike's at utwente, and that mirror also was the initial/main seed
 for all the releases. There were other trackers linked together via a
 tracker-hub (backup tracker as well as the hub were provided by
 Harold).

 So it is not a matter of infrastructure, but a matter of policy.

Where's the URL for this policy?

Robert

[1] Consider an attacker with some ability to fabricate convincing
signatures. Downloading the signature from a trusted server means that
such an attacker would need to replace an existing signature on secure
hardware without detection. The small increase in traffic is a small
price to pay for this additional defense in depth.

Re: Draft mailing list notification post

2011-10-25 Thread Donald Whytock

is migrate the many legacy - is migrating the many legacy

on to Apache servers - onto Apache servers

Aside from that, it looks good to me, though I wonder if the opening
paragraph sounds a little Nigerian.

Don

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

2011-10-25 Thread Marcus (OOo)


Am 10/25/2011 02:02 PM, schrieb Robert Burrell Donkin:

On Mon, Oct 24, 2011 at 2:08 AM, Marcus (OOo)marcus.m...@wtnet.de  wrote:

snip


The problem is that the ASF do not want to host and provide services of
special software for single projects. I can understand this as even the ASF
infra is a team of volunteers and their time is limited as it is for all
others.


I think this is a little open to misinterpretation. Hopefully a Mentor
will jump in but (until they do) I'll do my best to explain a little
bit more about the way infrastructure works here at Apache...

The infrastructure team at Apache is an independent, volunteer-led
self-organising community of experts. Apache delegates infrastructure
to this community, and provides resources to sustain their work[1].
When asking infrastructure for help, it's essential to remember this
and engage with them as peers with special expertise. Anyone arriving
with a solution or a request for a new service must expect to be
challenged to defend and refine their choice of solution.


Thanks for the explaination. I thought it would be a kind of just 
another project. But it's not.



To move back to the particular, this is a migration issue. A valuable
service is about to be closed and needs to be migrated. Whether this
is right long term solution is open to debate but accepting a service
for a temporary period doesn't raise the issues that committing to
provide a similar service for all projects forever would. Please
explain the problem to infrastructure and ask for their help to find a
solution.


I know a service like MirrorBrain could be a high value of any Apache 
project that provides file downloads, so it should be helpful for every 
project.


As it is able keep the overview of all possible mirrors that offers 
Apache aoftware there needs to be only a single instance and not per 
project.


Let's see what to get until Friday. Otherwise he have to start again.

Marcus




[1] The team has a budget and some flexibility to bring additional
resources - included hired help - when needed. Apache has adequate
financial resources but is culturally resistant to committing to
additional spending without good reason. Apache values independence.
Dependency on funding risks that independence.

Re: odt2braille on the Mac

2011-10-25 Thread Bert Frees


Hi Alexandro,

Thanks for your suggestion.

Something I didn't mention yet is that I need an interface that can send 
raw data (a byte stream) to a printer driver. The problem with braille 
printers is that they're very different from normal ink printers. A 
braille printer is more like an old dotmatrix or impact printer, and is 
controlled with special escape sequences and codes that define where a 
braille dot has to be placed on the paper.


Is it possible to send raw data to a printer using this API?

Best,
Bert

On 25/10/2011 16:41, Alexandro Colorado wrote:

hi, i think it might be better to usee the uno api for the printing services.
http://wiki.services.openoffice.org/wiki/API/Samples/Java/Office/DocumentHandling#DocumentPrinter

On 10/25/11, Bert Freesbertfr...@gmail.com  wrote:

Hi all,

My name is Bert Frees. I'm the developer of odt2braille, the Braille
plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time
ago I raised an issue on the old developer list (see e-mail below), but
I got no reaction. I'm bringing it up again on this list in the hope
somebody here can help me out. I'm not a Mac expert at all, but I get a
lot of requests for Mac support. A lot of people would be very happy if
this got solved.

Thanks in advance,
Bert Frees

--
Bert Frees
Katholieke Universiteit Leuven
Dept. Elektrotechniek - ESAT - SCD
Onderzoeksgroep Documentarchitecturen
Kasteelpark Arenberg 10 bus 2442
B-3001 Heverlee-Leuven
België



 Original Message 
Subject:odt2braille on the Mac
Date:   Mon, 16 May 2011 11:55:37 +0200
From:   Bert Freesbertfr...@gmail.com
To: d...@openoffice.org


Hello,

I'm new to this mailing list. My name is Bert Frees. I am the developer
of odt2braille, the OpenOffice.org plugin for printing and exporting
Braille. The website is http://odt2braille.sourceforge.net/index.html.

I'm trying to make this plugin available on the Mac, but I've been
puzzling on a bug for some time now and I'm really stuck. I hope there
is somebody on this list who is familiar with OOo on the Mac, and who
knows what might be the problem.

I'm using javax.print.PrintServiceLookup
http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html
to look up the default printer device. It works fine on Windows, but on
Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related
because the code runs fine when it is not embedded in an OOo extension.

This is the code:

javax.print.PrintService[] printers =
javax.print.PrintServiceLookup.lookupDefaultPrintService();


Thanks,
Bert

Re: Areas for cooperation between AOOO and LO [was: Cooperation withRe: Neutral / shared security list ...]


On Oct 25, 2011, at 2:38 AM, Ian Lynch wrote:

 Seems to me that while the focus is political point scoring, aggression,
 sarcasm and such the chances of getting cooperation are zero.

+1. We will need to crawl to co-operation before we walk and run.

Regards,
Dave

 
 On 25 October 2011 00:32, Rob Weir robw...@apache.org wrote:
 
 On Mon, Oct 24, 2011 at 7:11 PM, Simon Phipps si...@webmink.com wrote:
 
 On 25 Oct 2011, at 00:56, Rob Weir wrote:
 
 Hi Simon, do you have any other ideas for cooperation, preferably ones
 that are not redundant?
 
 While I am amused that your first words after hopefully will attract
 fewer trolls themselves include a mean-spirited troll, I'm sorry you think
 a collaborative security mailing list with shared, collaborative ownership
 is redundant.
 
 
 We already have a collaborative security mailing list that has 4 LO
 members on it, as well as several AOOo members, representatives from
 other vendors, security experts from Linux distros, etc.  So we are
 already there.  Creating a new list for the same thing would be
 redundant.
 
 We clearly have very different views of the world. I continue to think
 such a list holds great opportunity for collaboration since it was working
 in that role for many months, but it's hard to see how it can now be the
 securityteam@ list, unfortunately (unless your'e speaking alone, of
 course).
 
 
 As above, the list exists and LO and AOOo members are already on it,
 Time to declare success and find additional areas to collaborate.
 
 I suggested cooperating on translations via
 a shard Pootle instance.
 
 Hard to see how that would work since it would require the source to be
 highly similar and that looks unlikely to be the case.
 
 
 I think the value would come from the translation memory aspect.  So
 even if we had different source files, the UI's of the products are
 nearly identical, and the underlying concepts of the products remain
 very the same and likely will remain so for the foreseeable future.
 (it is not like spreadsheets and word processors have changed much in
 the past decade).  So there may be some value in sharing translation
 memory of basic concepts and repeated patterns that are common to
 describing both products.
 
 It also makes it easier for translators who wish to contribute to both
 products at once, similar to what ODF Authors has done for
 documentation.
 
  Or maybe code browsing/searching facilities
 with OpenGrok.  Or either of those possible?
 
 Hard to see how two very different source trees can have a shared
 browser. It would be best for Apache to run its own instance.
 
 Or maybe work on a collaborative QA site as an alternative user
 support option?
 
 Plausible in the future but a little early to be proposing it - YAGNI
 applies.
 
 
 A little too early? It looks like someone is already trying this for
 LO, but they are failing to get enough participation needed to
 graduate on StackExchange.  So it looks like an area ripe for
 collaboration:
 
 http://area51.stackexchange.com/proposals/24564/libreoffice
 
  Or maybe a shared template and extensions site?
 
 I believe I once proposed such a thing, and was told by both communities
 that licensing issues would largely prevent it.
 
 
 I certainly proposed such a thing, and licensing was not an issue in
 my proposal.  Maybe we should revisit, if you think this is a possible
 area for collaboration?
 
 Any other ideas?
 
 Delighted to hear you are now such a fan of co-operation though, Rob.
 I'll be sure to support any viable proposals you present to both
 communities.
 
 
 I'll continue to float the ideas by you first, Simon.  I'd like you to
 be able to find some success in your goal to lead these projects to
 find areas to collaborate.
 
 -Rob
 
 S.
 
 
 
 
 
 
 
 
 -- 
 Ian
 
 Ofqual Accredited IT Qualifications (The Schools ITQ)
 
 www.theINGOTs.org +44 (0)1827 305940
 
 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth,
 Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and
 Wales.

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 11:05 AM, Martin Hollmichel
martin.hollmic...@googlemail.com wrote:
 Hi all,

 If both parties (ASF, TDF) agree, I could imagine that team openoffice is
 willing to provide funds for an independent location, but at the same time
 I'm wondering whether such neutral zone is wanted and makes sense ? What I
 really don't like to see is a third location for OpenOffice.org gets
 established, that would not be the right sign,


I'm not sure any of this makes sense.  One really needs to suspend
reason to understand this debate.  For example, Michael is arguing
that an Apache-controlled list would not be sufficiently neutral to
have security discussions on, despite the fact that it has been used
for such purposes, by many, including him, for longer than TDF has
been around.  Ironically,  he is making his argument, and we are
having this debate, on an Apache-controlled development list, one in
which Michael is freely posting to and participating in.  This does
not look like a winning argument.

In any case, we have four other TDF/LO members on the securityteam
list, including several members of the TDF leadership (Steering
Committee).  So whatever scruples Michael has do not appear to be
shared by all TDF/LO members.

-Rob

 Martin

 Am 25.10.2011 13:03, schrieb Simon Phipps:

 On 25 Oct 2011, at 02:55, Dave Fisher wrote:

 I tried to be ambiguous with fork/downstream. There is a relationship,
 and whether it originates as a fork, upstream, downstream, or upside-down
 relationship the relationship *IS* a *PEER* relationship. (auf Deutsch, ist
 klar?)

 :-)  I just want to make clear that, listening to both sides of this
 issue, it is very easy (on both sides) for people to use language that is
 unintentionally inflammatory and then treat the other party as at fault when
 they react to it...

 So, this could be a true point of co-operation, there was a thread about
 this and it did have some good ideas.

 Extensions and especially templates are likely to compatible.

 This isn't a given. By the time AOOo makes an end-user release, there are
 likely to be substantial differences and a shared  add-ons repo would
 probably need to distinguish strongly between the two projects. Still worth
 considering though, I agree.

 Given the licensing issues with Apache hosting it does make more sense
 for the TDF to host these.

 TDF won't host closed extensions though, so the combined (TDF + Apache)
 repo would still hold less than the current repo.

 No technical reasons why the openoffice.org DNS for these couldn't point
 to servers hosted by the TDF.

 Maybe this is a compromise solution for the security list too?  make it
 coordinat...@security.openoffice.org and point the MX at a TDF server?

 S.

Re: Neutral / shared security list ...

Hi Michael,

On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:

 Hi Dave,
 
 On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
 Not sure how much this is like your original proposal, but maybe the
 following is acceptable:
 
 (1) The securityt...@openoffice.org continues.
 
   As mentioned, not happy about an openoffice.org domain; LibreOffice is
 not openoffice.org, that is not really neutral.

Understood. It is a requirement for a neutral address. On our side it is a 
desire for the same address

 (2) The membership of securityteam ML should be open to individuals
 and forks/downstreams as selected by the ML membership.
 
   Fine - though I'd characterise AOOoI as a fork too if this
 is used as a loaded term.

Not meant to be loaded. As in another email exchange with Simon, PEER 
relationships without regard to perceived historical relationships.

 
 (3) The securityteam ML moderators are selected from the
 individual membership of the securityteam ML.
 
   Fine.
 
 (4) The securityteam ML is nominally under the governance of the
 ASF - either the AOOo podling PPMC, the Apache Security Team, or
 even the Foundation Board. I think the AOOo podling PPMC should
 be acceptable, but we can ask the other entities if that is not
 is not neutral enough. We may ask the TDF to neutrally host some
 component and it would make sense for each entity to trust the
 neutrality of the other entity (Rob's real point).
 
   Totally un-acceptable, I'm sorry. The Apache project is by no means
 neutral. The decision to take on AOOoI and the actions of that project
 are its responsibility.

By nominally I meant only the minimum required by any responsible host who 
opens their facilities to the public.

However, this is moot (does not matter) if the address is not in a domain that 
the ASF is responsible.

 (5) No iCLAs are required.
 
   Of course.
 
 (6) A set point for membership is determined when at least
 AOOo, TDF, and any other OOo fork/downstreams who might
 appear within a reasonably short time period. The deadline
 would need to be agreed.
 
   I would not have a process - we should just include everyone competent
 who has a reason to be there; that is normally fairly easy to work out
 relationally; if not the moderators can thrash it out. If it is a
 multi-vendor, neutral list I don't envisage controversy there.

I don't either. My thought was to give individuals / peer projects time to 
appear. If they are welcomed gladly by the list after the list's establishment 
then no troubles.

 
 (7) The securityt...@openoffice.org ML will be hosted by the
 ASF when the MX for openoffice.org is moved to ASF Infrastructure.
 
   Hosting by the ASF is by no means ideal, but perhaps compromise here is
 reasonable.
 
 I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?
 
   We built our own new infrastructure for that.

Good for LO. More for AOOo to cleanup...

 
   So - I am still fairly firmly convinced that this security thing is not
 going to pan out. Here is my potted history of it:
 
   * initial request for continuing the traditional,
 friendly cross membership of security lists
   + turned down at AOOoI: Apache Committers only
   * requests for a neutral list with neutral name turn into:
   + ASF  openoffice.org -are-neutral-; proof by assertion
   * more compromise proposals arrive
   + these have high level ASF governance hard-wired

I can see how you would perceive the history this way.

I think it would help to have a single ML and I think that is more important 
than the address. securityt...@openoffice.org can be made to forward to that 
address if necessary.

   This doesn't make it seem like we're going anywhere productive, which
 is fine - there is no huge problem with having two separate public
 facing security lists that can have cross membership on them.
 
   Since there is no TDF affiliated admin for the currently suggested,
 Apache controlled, 'neutral' security list, extracting a membership list
 of that would be appreciated - so we can mirror it in a suitable other
 place.

It would be good for the AOOo PPMC to see this list as well. I think that the 
actual membership should be shared in private. Would someone with appropriate 
karma on the OOo MLs please provide this.

   I'm also minded to consider the relative grief of endlessly re-hashing
 this issue vs. actually fixing whatever bugs are found. Can we not just
 move on.

You suggested: officesecur...@lists.freedesktop.org

The comment was that this was not an appropriate domain name as not all of the 
Office Space is Linux. So, the open question is where the list is hosted.

Martin mentions hosting at Team OpenOffice, but that fails your neutrality test 
doesn't it?

Regards,
Dave


 
   All the best,
 
   Michael.
 
 -- 
 michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher dave2w...@comcast.net wrote:
 Hi Michael,

 On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:

 Hi Dave,

 On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
 Not sure how much this is like your original proposal, but maybe the
 following is acceptable:

 (1) The securityt...@openoffice.org continues.

       As mentioned, not happy about an openoffice.org domain; LibreOffice is
 not openoffice.org, that is not really neutral.

 Understood. It is a requirement for a neutral address. On our side it is a 
 desire for the same address

 (2) The membership of securityteam ML should be open to individuals
 and forks/downstreams as selected by the ML membership.

       Fine - though I'd characterise AOOoI as a fork too if this
 is used as a loaded term.

 Not meant to be loaded. As in another email exchange with Simon, PEER 
 relationships without regard to perceived historical relationships.


 (3) The securityteam ML moderators are selected from the
 individual membership of the securityteam ML.

       Fine.

 (4) The securityteam ML is nominally under the governance of the
 ASF - either the AOOo podling PPMC, the Apache Security Team, or
 even the Foundation Board. I think the AOOo podling PPMC should
 be acceptable, but we can ask the other entities if that is not
 is not neutral enough. We may ask the TDF to neutrally host some
 component and it would make sense for each entity to trust the
 neutrality of the other entity (Rob's real point).

       Totally un-acceptable, I'm sorry. The Apache project is by no means
 neutral. The decision to take on AOOoI and the actions of that project
 are its responsibility.

 By nominally I meant only the minimum required by any responsible host who 
 opens their facilities to the public.

 However, this is moot (does not matter) if the address is not in a domain 
 that the ASF is responsible.

 (5) No iCLAs are required.

       Of course.

 (6) A set point for membership is determined when at least
 AOOo, TDF, and any other OOo fork/downstreams who might
 appear within a reasonably short time period. The deadline
 would need to be agreed.

       I would not have a process - we should just include everyone competent
 who has a reason to be there; that is normally fairly easy to work out
 relationally; if not the moderators can thrash it out. If it is a
 multi-vendor, neutral list I don't envisage controversy there.

 I don't either. My thought was to give individuals / peer projects time to 
 appear. If they are welcomed gladly by the list after the list's 
 establishment then no troubles.


 (7) The securityt...@openoffice.org ML will be hosted by the
 ASF when the MX for openoffice.org is moved to ASF Infrastructure.

       Hosting by the ASF is by no means ideal, but perhaps compromise here is
 reasonable.

 I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o?

       We built our own new infrastructure for that.

 Good for LO. More for AOOo to cleanup...


       So - I am still fairly firmly convinced that this security thing is not
 going to pan out. Here is my potted history of it:

       * initial request for continuing the traditional,
         friendly cross membership of security lists
               + turned down at AOOoI: Apache Committers only
       * requests for a neutral list with neutral name turn into:
               + ASF  openoffice.org -are-neutral-; proof by assertion
       * more compromise proposals arrive
               + these have high level ASF governance hard-wired

 I can see how you would perceive the history this way.

 I think it would help to have a single ML and I think that is more important 
 than the address. securityt...@openoffice.org can be made to forward to that 
 address if necessary.

       This doesn't make it seem like we're going anywhere productive, which
 is fine - there is no huge problem with having two separate public
 facing security lists that can have cross membership on them.

       Since there is no TDF affiliated admin for the currently suggested,
 Apache controlled, 'neutral' security list, extracting a membership list
 of that would be appreciated - so we can mirror it in a suitable other
 place.

 It would be good for the AOOo PPMC to see this list as well. I think that the 
 actual membership should be shared in private. Would someone with appropriate 
 karma on the OOo MLs please provide this.


-1 to that.  Sharing subscriber lists with other organizations is a
violation of trust and violates personal data protection.

However, if someone wants to send a note to securityteam, inviting
members to subscriber to another list, as an opt-in, that would
address those concerns.

But it would be good to think this through, and see if we can avoid an
infinite regress of mailing lists.  We already have ooo-security and
tdf-security and securityteam.  Are we really going to create a 4th
one based on one person's irrational distrust of

Re: Neutral / shared security list ...


Hello,

it is really amazing how much hot air can be produced for such a topic.

Folks, it's rather easy. After the recent discussions and the history of 
this topic, it becomes obvious, that neutral grounds are important.


Neutral grounds mean:
- no domain name related to Apache, OOo, TDF or LibO
- no hosting at one of these entities
- members of the list from both parties (and of course other third 
parties that make sense)

- admins of the list from both parties

I'd also avoid any of the German associations, either directly or via 
donations, since stakeholders at both projects are in their respective 
boards, which might raise concerns towards neutrality.


What's so complicated to understand here? We can bury ourselves with 
senselessly quoting bullshit from dictionaries, wikipedia or a 
philospher of our choice, or finally start working on things.


A concrete proposal:
- We can use either FreeDesktop.org,
- or in case this is seen as non-neutral as it hosts also a few TDF 
lists (not all), go for SourceForge.
- I am also happy to ask a friend of mine who is in the business of mail 
server consultancy, to host that list under a neutral domain name. He 
hosts various lists for free projects. In case that's not neutral enough 
as he's a friend, I know none of the admins at SourceForge.


So, is there any *compelling* reason not to try out one of these three 
options?


Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

[Proposal] Security coordination without a shared list

There is an easy way to avoid all the trust issues with regards to
shared mailing lists.  Don't have such a list.  Trust individuals.
This proposal takes this approach.

1) The AOOo PMC solicits the names of security contacts from related
projects who wish to be consulted related to pre-disclosure
coordination related to analysis and resolution of reported security
vulnerabilities.  Names of individuals are preferred over opaque
mailing lists.  Trust can be established based on a PGP/GPG web of
trust.  These names and addresses are stored confidentially in the
PPMC's private SVN directory.

2) The AOOo security team reaches out to these contacts, as
appropriate,v ia their preferred contact mechanism,  to coordinate on
specific vulnerabilities.  We (Apache) would cc ooo-security on our
external emails, as required by Apache policy [1].

3) Other groups would be encouraged to reach out to AOOo in similar
circumstances via our preferred contact mechanism, ooo-security.

4) This fully allows targeted collaboration on specific issues, via
each project's preferred contact mechanism,  without requiring the
maintenance of an additional email list.

5)  If we want to discuss security in general, then that can/should
happen on public dev lists.That public discussion could occur
anywhere.


[1]: http://www.apache.org/security/committers.html

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 11:56 AM, Florian Effenberger
flo...@documentfoundation.org wrote:
 Hello,

 it is really amazing how much hot air can be produced for such a topic.

 Folks, it's rather easy. After the recent discussions and the history of
 this topic, it becomes obvious, that neutral grounds are important.

 Neutral grounds mean:
 - no domain name related to Apache, OOo, TDF or LibO
 - no hosting at one of these entities
 - members of the list from both parties (and of course other third parties
 that make sense)
 - admins of the list from both parties


Sorry, but you build an incredible about of distrust in others if you
express such irrational distrust in AOOo.  I'd have extreme hesitation
to work with anyone who exhibs such vehement distrust of an 11 year
old open source foundation that produces 5 of the top 10 open source
projects, and which has a stellar reputation in the industry,
including its treatment of security vulnerabilities.

-Rob

 I'd also avoid any of the German associations, either directly or via
 donations, since stakeholders at both projects are in their respective
 boards, which might raise concerns towards neutrality.

 What's so complicated to understand here? We can bury ourselves with
 senselessly quoting bullshit from dictionaries, wikipedia or a philospher of
 our choice, or finally start working on things.

 A concrete proposal:
 - We can use either FreeDesktop.org,
 - or in case this is seen as non-neutral as it hosts also a few TDF lists
 (not all), go for SourceForge.
 - I am also happy to ask a friend of mine who is in the business of mail
 server consultancy, to host that list under a neutral domain name. He hosts
 various lists for free projects. In case that's not neutral enough as he's a
 friend, I know none of the admins at SourceForge.

 So, is there any *compelling* reason not to try out one of these three
 options?

 Florian

 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...


Hi,

Rob Weir wrote on 2011-10-25 18:11:

Sorry, but you build an incredible about of distrust in others if you
express such irrational distrust in AOOo.  I'd have extreme hesitation
to work with anyone who exhibs such vehement distrust of an 11 year
old open source foundation that produces 5 of the top 10 open source
projects, and which has a stellar reputation in the industry,
including its treatment of security vulnerabilities.


where did I express distrust in AOOo? I was explaining what neutral 
means. Is there anything wrong in the explanation of neutrality in this 
case?


One could also say you express distrust to people who have been involved 
with OpenOffice.org for nearly a decade. But insults like these lead to 
nowhere.


Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 12:20 PM, Florian Effenberger
flo...@documentfoundation.org wrote:
 Hi,

 Rob Weir wrote on 2011-10-25 18:11:

 Sorry, but you build an incredible about of distrust in others if you
 express such irrational distrust in AOOo.  I'd have extreme hesitation
 to work with anyone who exhibs such vehement distrust of an 11 year
 old open source foundation that produces 5 of the top 10 open source
 projects, and which has a stellar reputation in the industry,
 including its treatment of security vulnerabilities.

 where did I express distrust in AOOo? I was explaining what neutral means.
 Is there anything wrong in the explanation of neutrality in this case?

 One could also say you express distrust to people who have been involved
 with OpenOffice.org for nearly a decade. But insults like these lead to
 nowhere.


My point is that neutrality does not increase trust.  You may say
Apache is not neutral, but I say Apache is trusted in this industry in
security matters, with security researchers, users and corporations,
and this trust is far greater than any trust you will have with a new
ad-hoc little security list that you create today, with ad hoc
governance.

I'm more concerned with trust than with neutrality.  Users are more
concerned with trust.  Security reporters are more concerned with
trust.  And I recommend that you start being more concerned with
trust, users and security.

It is mind boggling that we're having a discussion about an important
topic -- how we handle security vulnerabilities -- and the discussion
is being led based entirely on non-security considerations, without
hardly a mention of users, and instead dwelling on one party's
paranoia.  This does not make sense.

-Rob

 Florian

 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...


Hi,

Rob Weir wrote on 2011-10-25 18:26:

It is mind boggling that we're having a discussion about an important
topic -- how we handle security vulnerabilities -- and the discussion
is being led based entirely on non-security considerations, without
hardly a mention of users, and instead dwelling on one party's
paranoia.  This does not make sense.


if you want, I can perfectly write you paragraphs about why TDF, why 
FrODeV or why any other entity is trustworthy and/or neutral. Again, 
this doesn't lead to anywhere in this case.


Name me one argument that speaks against my proposal, other than 
personal feelings. Otherwise I'm not wasting my time anymore with 
discussing that topic here, it really leads to nowhere.


I made a proposal on how to have neutral grounds, and if all parties are 
involved, trust should be given as well. Users will benefit. Everyone 
happy. Easy, isn't it?


Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

Re: [PATCH] Fix for #118485#, #108221#, #67705#

2011-10-25 Thread Regina Henschel


Hi Armin,

Armin Le Grand schrieb:
[..]

I checked all changes again and added the patch to #118485#. Now I'm
looking for someone volunteering to add the patch, build AOOo and play
around with OLEs a little bit, reading the patch will also help in this
case, it's not too big to do so.


I did some further tests.

I have taken some older documents, where the transformations are done 
via matrix (you know them). Chart and Math-Formulas behave now the same 
way as simple drawing objects. So that is OK.


OOo sxd-documents are converted fine, the fill style and the line style 
is corrected to NONE.




The change looks big, but it touches no too critical parts. It is also
necessary to bring it in AOOo3.4, this change relies on a version change
(here: 3.3 to 3.4) to be able to correct files written by OOo up to 3.3
(and only those).

Some background: The root problem here was that older versions straight
ignored attributes set at OLE objects by just not painting them. This
means that in files generated the attributes are written and in plain
ODF OLEs are filled default (blue8) and have line on default (black
hairline).


Documents made with LibreOffice are not converted. The background is 
blue and the line black. Is a solution possible inside AOOo? Should it 
be done?


I have written a Basic macro to set the background and line style to 
NONE. Developing it I have noticed, that the Math-objects do not support 
the services LineProperties and FillProperties. But I can set the single 
properties 'LineStyle' and 'FillStyle' and Xray lists all the other 
properties. So shouldn't they support these services?




Questions/Comments are welcome,
Armin



Kind regards
Regina

Re: Neutral / shared security list ...

Hi Dave,

First - thanks for being so reasonable :-) it is rather refreshing to
talk details in a pleasant fashion.

On Tue, 2011-10-25 at 08:24 -0700, Dave Fisher wrote:
 However, this is moot (does not matter) if the address is not in
 a domain that the ASF is responsible.

Fair enough, seems we're on the same page here then.

  I would not have a process - we should just include everyone competent
  who has a reason to be there; that is normally fairly easy to work out
  relationally; if not the moderators can thrash it out. If it is a
  multi-vendor, neutral list I don't envisage controversy there.
 
 I don't either. My thought was to give individuals / peer projects time to
 appear. If they are welcomed gladly by the list after the list's
 establishment then no troubles.

Sure - I suspect pre-populating with the previous guys, adding a few
more interested  relevant parties and so on would be fine.

 I think it would help to have a single ML and I think that is more 
 important than the address.

Completely agreed.

  securityt...@openoffice.org can be made to forward to that address
 if necessary.

Sure.

 It would be good for the AOOo PPMC to see this list as well. I think
 that the actual membership should be shared in private. Would someone
 with appropriate karma on the OOo MLs please provide this.

That'd be Rob or Malte or Martin? I suspect.

 You suggested: officesecur...@lists.freedesktop.org

Yep, luckily it is not created just yet.

 The comment was that this was not an appropriate domain name as not
 all of the Office Space is Linux. So, the open question is where
 the list is hosted.

Sure; so freedesktop is chosen only because it happens to be close to
hand, and more neutral than anything else I could think of in five
seconds, and less lame than eg. a sourceforge address. I had hoped that
there would be volunteers with more fun-sounding domains around that
could host a mailing list. IMHO it doesn't need to have ultra-rocket
powered security / mail encryption features - the problems are mostly
rather banal.

 Martin mentions hosting at Team OpenOffice, but that fails your
 neutrality test doesn't it?

Gosh - actually, I don't know. It is really not that clear to me where
Martin  co. stands on these things, though having read his intro mail
here which seemed (to me) to suggest that TDF should give up  go
home ;-) I'd tend to agree with that neutrality concern.

Of course, perhaps this is all overblown anyway; if the openoffice.org
domain was to become something common to, and shared by all those
distributing binaries based on the code, that might be the neutral place
we're looking for. Of course, so far its clear to me what the plans are
for the domain.

So where does that leave us ? one approach that hasn't been discussed
(and is perhaps a good compromise) - is for me to go ahead and setup the
list @freedesktop, and for you guys to advertise the @ooo alias on your
pages, and us to advertise the freedesktop one on ours.

That'd give a neutral venue, name, back-compat, no need to use the
freedesktop brand for AOOoI etc.

What do you think ?

Thanks,

Michael

-- 
michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Neutral / shared security list ...


Hi,

Rob Weir wrote on 2011-10-25 18:38:

I believe it is a bad pattern to establish for collaboration.  We need
to recognize that TDf/LO exists as a project, and AOOo exists as a
project.  Once we acknowledge this then it logically follows that
collaboration will occur between these two projects.  Do we create a
new mailing list or website, or wiki or whatever, every time we want
to collaborate?  Is that what we really want to start doing?  If we
want to coordinate on maintaining a module, we can't do it at Apache?
If we want to share translation strings, we can't do it at TDF?  If we
want to share anything, we need to create and maintain an entirely new
infrastructure for it?  Sorry, that does not make sense.


answering questions with other questions does not make sense.

Again, given the history of this topic, I think neutral grounds make 
sense. I made a proposal, and so far I have not heard any compelling 
reason why this proposal is wrong.


And I doubt you will name me one, because there is none.

Out for today, doing things that make sense.

Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...

Rob,

Some points and a slight criticism about your style which is to put it mildly 
an acquired taste.

On Oct 25, 2011, at 8:41 AM, Rob Weir wrote:

 On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher dave2w...@comcast.net wrote:
 Hi Michael,
 
 On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote:
 
 Hi Dave,
 
 On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote:
 Not sure how much this is like your original proposal, but maybe the
 following is acceptable:
 
 (1) The securityt...@openoffice.org continues.
 
   As mentioned, not happy about an openoffice.org domain; LibreOffice is
 not openoffice.org, that is not really neutral.
 
 Understood. It is a requirement for a neutral address. On our side it is a 
 desire for the same address

Rob - you've been misquoting Michael about neutral. Here he expressed his view 
succinctly.

I also think you might have finally have made clear about what you mean by 
neutrality in your exchange with Florian. I think you mean a measure of 
trust, but verify.


snip

 
   So - I am still fairly firmly convinced that this security thing is 
 not
 going to pan out. Here is my potted history of it:
 
   * initial request for continuing the traditional,
 friendly cross membership of security lists
   + turned down at AOOoI: Apache Committers only
   * requests for a neutral list with neutral name turn into:
   + ASF  openoffice.org -are-neutral-; proof by assertion
   * more compromise proposals arrive
   + these have high level ASF governance hard-wired
 
 I can see how you would perceive the history this way.
 
 I think it would help to have a single ML and I think that is more important 
 than the address. securityt...@openoffice.org can be made to forward to that 
 address if necessary.
 
   This doesn't make it seem like we're going anywhere productive, which
 is fine - there is no huge problem with having two separate public
 facing security lists that can have cross membership on them.
 
   Since there is no TDF affiliated admin for the currently suggested,
 Apache controlled, 'neutral' security list, extracting a membership list
 of that would be appreciated - so we can mirror it in a suitable other
 place.
 
 It would be good for the AOOo PPMC to see this list as well. I think that 
 the actual membership should be shared in private. Would someone with 
 appropriate karma on the OOo MLs please provide this.
 
 
 -1 to that.  Sharing subscriber lists with other organizations is a
 violation of trust and violates personal data protection.

-1 is anti-social. -1 to your -1. Please stop these -1s. You don't win any 
friends this way. You drive people away. I had to waste time being annoyed.

 However, if someone wants to send a note to securityteam, inviting
 members to subscriber to another list, as an opt-in, that would
 address those concerns.

If the AOOo podling is responsible for the governance of the securityteam@oo.o 
list then it deserves to know who the heck is on the list.

If the PEER constituents of a shared securityteam@oo.o (or whatever list is 
decided) cannot know the membership of that list then then the project should 
have zero to do with that list.

I know that the situation is not this extreme, but your -1s invite extreme 
reactions.

 
 But it would be good to think this through, and see if we can avoid an
 infinite regress of mailing lists.  We already have ooo-security and
 tdf-security and securityteam.  Are we really going to create a 4th
 one based on one person's irrational distrust of Apache?  What if we
 create that list and someone else expresses irrational distrust of
 that list?  (And don't say it could not happen).  And then the same
 thing with a 5th list?  I think it is easier just to work toward a
 security list with rational participants on it.

We are deciding what to do with securityteam@oo.o. Does it continue or is it 
replaced by another list? We are NOT deciding on 4th or 5th lists. Put those 
cats back in your hat, they are distractions for a rainy day. (Yes, I learned 
recursion from Dr. Seuss!)

Regards,
Dave

 
 -Rob
 
   I'm also minded to consider the relative grief of endlessly re-hashing
 this issue vs. actually fixing whatever bugs are found. Can we not just
 move on.
 
 You suggested: officesecur...@lists.freedesktop.org
 
 The comment was that this was not an appropriate domain name as not all of 
 the Office Space is Linux. So, the open question is where the list is 
 hosted.
 
 Martin mentions hosting at Team OpenOffice, but that fails your neutrality 
 test doesn't it?
 
 Regards,
 Dave
 
 
 
   All the best,
 
   Michael.
 
 --
 michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger
flo...@documentfoundation.org wrote:
 Hi,

 Rob Weir wrote on 2011-10-25 18:38:

 I believe it is a bad pattern to establish for collaboration.  We need
 to recognize that TDf/LO exists as a project, and AOOo exists as a
 project.  Once we acknowledge this then it logically follows that
 collaboration will occur between these two projects.  Do we create a
 new mailing list or website, or wiki or whatever, every time we want
 to collaborate?  Is that what we really want to start doing?  If we
 want to coordinate on maintaining a module, we can't do it at Apache?
 If we want to share translation strings, we can't do it at TDF?  If we
 want to share anything, we need to create and maintain an entirely new
 infrastructure for it?  Sorry, that does not make sense.

 answering questions with other questions does not make sense.

 Again, given the history of this topic, I think neutral grounds make sense.
 I made a proposal, and so far I have not heard any compelling reason why
 this proposal is wrong.

 And I doubt you will name me one, because there is none.

It is like making a baby.  If you are covered head to toe in latex, it
ain't going to happen.  You're trying to do collaboration in a
hermetically sealed box, wearing gloves and pinching your nose so you
don't have to smell the other party.  Nothing useful will come from
that sterile approach.  Those who want to collaborate need to start
getting dirty, working on each other's existing mailing lists (sacre
bleu!) and acting more like hackers and less like cold war diplomats
arguing over the shape of the negotiating table.  Collaboration is not
about neutrality.  It is about collaboration.  The sooner we
acknowledge this out the sooner we'll achieve results.

Again, I invite you to accept our hospitality graciously, and continue
participation in the long-established OOo secrurityteam mailing list,
soon to be under Apache control and hosting.  I'd also love it if you
thought of some TDF-hosted service, in some other area, where you
could return the favor and allow us the honor of accepting your
hospitality, and give us the opportunity to demonstrate that we have
no problems in principle with collaborating with TDF/LO on web sites
that they control.

-Rob

 Out for today, doing things that make sense.

 Florian

 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...

2011-10-25 Thread Ian Lynch

On 25 October 2011 18:01, Rob Weir robw...@apache.org wrote:

 On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger
 flo...@documentfoundation.org wrote:
  Hi,
 
  Rob Weir wrote on 2011-10-25 18:38:
 
  I believe it is a bad pattern to establish for collaboration.  We need
  to recognize that TDf/LO exists as a project, and AOOo exists as a
  project.  Once we acknowledge this then it logically follows that
  collaboration will occur between these two projects.  Do we create a
  new mailing list or website, or wiki or whatever, every time we want
  to collaborate?  Is that what we really want to start doing?  If we
  want to coordinate on maintaining a module, we can't do it at Apache?
  If we want to share translation strings, we can't do it at TDF?  If we
  want to share anything, we need to create and maintain an entirely new
  infrastructure for it?  Sorry, that does not make sense.
 
  answering questions with other questions does not make sense.
 
  Again, given the history of this topic, I think neutral grounds make
 sense.
  I made a proposal, and so far I have not heard any compelling reason why
  this proposal is wrong.
 
  And I doubt you will name me one, because there is none.

 It is like making a baby.


Well babies are usually made from love and tenderness (unless it's a
mistake) and I don't see too much of that in this approach. At least to get
started why not do it on a neutral list? Florian has made a perfectly
reasonable case for it. Is that so much to give up just to get something
going? In terms of baby making I'd say we need some serious marriage
guidance before even talking about getting in bed together never mind
wrapping anything in latex.

As a PPMC member I think we should show good will by going along with
Florian's suggestion and at least get one area of definite cooperation.
Where it happens is totally irrelevant.




  If you are covered head to toe in latex, it
 ain't going to happen.  You're trying to do collaboration in a
 hermetically sealed box, wearing gloves and pinching your nose so you
 don't have to smell the other party.  Nothing useful will come from
 that sterile approach.  Those who want to collaborate need to start
 getting dirty, working on each other's existing mailing lists (sacre
 bleu!) and acting more like hackers and less like cold war diplomats
 arguing over the shape of the negotiating table.  Collaboration is not
 about neutrality.  It is about collaboration.  The sooner we
 acknowledge this out the sooner we'll achieve results.

 Again, I invite you to accept our hospitality graciously, and continue
 participation in the long-established OOo secrurityteam mailing list,
 soon to be under Apache control and hosting.  I'd also love it if you
 thought of some TDF-hosted service, in some other area, where you
 could return the favor and allow us the honor of accepting your
 hospitality, and give us the opportunity to demonstrate that we have
 no problems in principle with collaborating with TDF/LO on web sites
 that they control.

 -Rob

  Out for today, doing things that make sense.
 
  Florian
 
  --
  Florian Effenberger flo...@documentfoundation.org
  Steering Committee and Founding Member of The Document Foundation
  Tel: +49 8341 99660880 | Mobile: +49 151 14424108
  Skype: floeff | Twitter/Identi.ca: @floeff
 


-- 
Ian

Ofqual Accredited IT Qualifications (The Schools ITQ)

www.theINGOTs.org +44 (0)1827 305940

The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth,
Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and
Wales.

Re: Neutral / shared security list ...

Hi Michael,

On Oct 25, 2011, at 9:35 AM, Michael Meeks wrote:

 Hi Dave,
 
   First - thanks for being so reasonable :-) it is rather refreshing to
 talk details in a pleasant fashion.

You are welcome! I'm looking for common ground and I am trying to listen to 
logic.

 On Tue, 2011-10-25 at 08:24 -0700, Dave Fisher wrote:
 However, this is moot (does not matter) if the address is not in
 a domain that the ASF is responsible.
 
   Fair enough, seems we're on the same page here then.
 
 I would not have a process - we should just include everyone competent
 who has a reason to be there; that is normally fairly easy to work out
 relationally; if not the moderators can thrash it out. If it is a
 multi-vendor, neutral list I don't envisage controversy there.
 
 I don't either. My thought was to give individuals / peer projects time to
 appear. If they are welcomed gladly by the list after the list's
 establishment then no troubles.
 
   Sure - I suspect pre-populating with the previous guys, adding a few
 more interested  relevant parties and so on would be fine.
 
 I think it would help to have a single ML and I think that is more 
 important than the address.
 
   Completely agreed.
 
 securityt...@openoffice.org can be made to forward to that address
 if necessary.
 
   Sure.
 
 It would be good for the AOOo PPMC to see this list as well. I think
 that the actual membership should be shared in private. Would someone
 with appropriate karma on the OOo MLs please provide this.
 
   That'd be Rob or Malte or Martin? I suspect.

One or more of those three I think. Membership is a side issue from the plan.

 
 You suggested: officesecur...@lists.freedesktop.org
 
   Yep, luckily it is not created just yet.
 
 The comment was that this was not an appropriate domain name as not
 all of the Office Space is Linux. So, the open question is where
 the list is hosted.
 
   Sure; so freedesktop is chosen only because it happens to be close to
 hand, and more neutral than anything else I could think of in five
 seconds, and less lame than eg. a sourceforge address. I had hoped that
 there would be volunteers with more fun-sounding domains around that
 could host a mailing list. IMHO it doesn't need to have ultra-rocket
 powered security / mail encryption features - the problems are mostly
 rather banal.
 
 Martin mentions hosting at Team OpenOffice, but that fails your
 neutrality test doesn't it?
 
   Gosh - actually, I don't know. It is really not that clear to me where
 Martin  co. stands on these things, though having read his intro mail
 here which seemed (to me) to suggest that TDF should give up  go
 home ;-) I'd tend to agree with that neutrality concern.
 
   Of course, perhaps this is all overblown anyway; if the openoffice.org
 domain was to become something common to, and shared by all those
 distributing binaries based on the code, that might be the neutral place
 we're looking for. Of course, so far its clear to me what the plans are
 for the domain.

We do plan to port www.openoffice.org to support all the current non AL 
releases and archives. It will be branded in a way approved by the ASF removing 
Oracle logos, etc.

While the AOOo project will control the website content through the Apache SVN, 
there is no reason that some of the openoffice.org services couldn't be hosted 
elsewhere. The main requirements would be OOo branding and nominal AOOo 
oversight.

   So where does that leave us ? one approach that hasn't been discussed
 (and is perhaps a good compromise) - is for me to go ahead and setup the
 list @freedesktop, and for you guys to advertise the @ooo alias on your
 pages, and us to advertise the freedesktop one on ours.
 
   That'd give a neutral venue, name, back-compat, no need to use the
 freedesktop brand for AOOoI etc.
 
   What do you think ?

I think we are getting somewhere. The last detail is which is the real ML and 
which is the forwarder. While the AOOo project might prefer to have that be the 
original securityteam@oo.o the best choice is really technical.

Let's think about the operation from the point of view of the user who sends a 
report to this two headed list. By default when a reply is sent it will have a 
reply-to from the real ML. If the user sent the message to the forwarding ML 
they may be confused (and upset.)

I think where the real shared securityteam ML exists should be determined by 
the flexibility in handling this situation. Ideally the user should feel that 
they are conversing with the ML they think they are sending to.

In the absence of such flexibility from a ML host then clear instructions on 
the site that links to the forwarding ML should be enough.

The simplest solution would be for TDF to setup a forwarder to the existing 
securityteam@oo.o. I suspect the best solution might be the other way, but 
would need to know the provider and what special services they have.

Regards,
Dave

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 1:18 PM, Ian Lynch ianrly...@gmail.com wrote:
 On 25 October 2011 18:01, Rob Weir robw...@apache.org wrote:

 On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger
 flo...@documentfoundation.org wrote:
  Hi,
 
  Rob Weir wrote on 2011-10-25 18:38:
 
  I believe it is a bad pattern to establish for collaboration.  We need
  to recognize that TDf/LO exists as a project, and AOOo exists as a
  project.  Once we acknowledge this then it logically follows that
  collaboration will occur between these two projects.  Do we create a
  new mailing list or website, or wiki or whatever, every time we want
  to collaborate?  Is that what we really want to start doing?  If we
  want to coordinate on maintaining a module, we can't do it at Apache?
  If we want to share translation strings, we can't do it at TDF?  If we
  want to share anything, we need to create and maintain an entirely new
  infrastructure for it?  Sorry, that does not make sense.
 
  answering questions with other questions does not make sense.
 
  Again, given the history of this topic, I think neutral grounds make
 sense.
  I made a proposal, and so far I have not heard any compelling reason why
  this proposal is wrong.
 
  And I doubt you will name me one, because there is none.

 It is like making a baby.


 Well babies are usually made from love and tenderness (unless it's a
 mistake) and I don't see too much of that in this approach. At least to get
 started why not do it on a neutral list? Florian has made a perfectly
 reasonable case for it. Is that so much to give up just to get something
 going? In terms of baby making I'd say we need some serious marriage
 guidance before even talking about getting in bed together never mind
 wrapping anything in latex.

 As a PPMC member I think we should show good will by going along with
 Florian's suggestion and at least get one area of definite cooperation.
 Where it happens is totally irrelevant.


Then perhaps pursue one of the 6 or other options I raised for
collaboration, unrelated to security. But I think we do poorly if PPMC
members who are not involved with security use this list proposal as
their playground for collaborative experimentation.  There is a reason
why we created a separate ooo-security list with only a subset of PPMC
members.




  If you are covered head to toe in latex, it
 ain't going to happen.  You're trying to do collaboration in a
 hermetically sealed box, wearing gloves and pinching your nose so you
 don't have to smell the other party.  Nothing useful will come from
 that sterile approach.  Those who want to collaborate need to start
 getting dirty, working on each other's existing mailing lists (sacre
 bleu!) and acting more like hackers and less like cold war diplomats
 arguing over the shape of the negotiating table.  Collaboration is not
 about neutrality.  It is about collaboration.  The sooner we
 acknowledge this out the sooner we'll achieve results.

 Again, I invite you to accept our hospitality graciously, and continue
 participation in the long-established OOo secrurityteam mailing list,
 soon to be under Apache control and hosting.  I'd also love it if you
 thought of some TDF-hosted service, in some other area, where you
 could return the favor and allow us the honor of accepting your
 hospitality, and give us the opportunity to demonstrate that we have
 no problems in principle with collaborating with TDF/LO on web sites
 that they control.

 -Rob

  Out for today, doing things that make sense.
 
  Florian
 
  --
  Florian Effenberger flo...@documentfoundation.org
  Steering Committee and Founding Member of The Document Foundation
  Tel: +49 8341 99660880 | Mobile: +49 151 14424108
  Skype: floeff | Twitter/Identi.ca: @floeff
 


 --
 Ian

 Ofqual Accredited IT Qualifications (The Schools ITQ)

 www.theINGOTs.org +44 (0)1827 305940

 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth,
 Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and
 Wales.

Re: [Proposal] Security coordination without a shared list

Rob,

I'd like to actually try to work out the shared list situation with a sincere 
spirit of mutual understanding, listening and co-operation.

On Oct 25, 2011, at 9:08 AM, Rob Weir wrote:

 There is an easy way to avoid all the trust issues with regards to
 shared mailing lists.  Don't have such a list.  Trust individuals.
 This proposal takes this approach.
 
 1) The AOOo PMC solicits the names of security contacts from related
 projects who wish to be consulted related to pre-disclosure
 coordination related to analysis and resolution of reported security
 vulnerabilities.  Names of individuals are preferred over opaque
 mailing lists.  Trust can be established based on a PGP/GPG web of
 trust.  These names and addresses are stored confidentially in the
 PPMC's private SVN directory.

Do you have software that actually exists that does this? Who is going to build 
this?

 
 2) The AOOo security team reaches out to these contacts, as
 appropriate,v ia their preferred contact mechanism,  to coordinate on
 specific vulnerabilities.  We (Apache) would cc ooo-security on our
 external emails, as required by Apache policy [1].

Replies would not necessarily be cc'd to ooo-security and that would be a 
problem.

 
 3) Other groups would be encouraged to reach out to AOOo in similar
 circumstances via our preferred contact mechanism, ooo-security.
 
 4) This fully allows targeted collaboration on specific issues, via
 each project's preferred contact mechanism,  without requiring the
 maintenance of an additional email list.
 
 5)  If we want to discuss security in general, then that can/should
 happen on public dev lists.That public discussion could occur
 anywhere.
 
 
 [1]: http://www.apache.org/security/committers.html

Time to be productive today.

Regards,
Dave

Re: Draft mailing list notification post

I wonder if this is too technically detailed.

Since the recipient is a ML user that impact should be noted near the top.

The information about what the ASF / podling process is all about should be at 
the end.

Information here to go to find out about AOOo release plans would be helpful. A 
wiki page with updates.

A link to the ooo blog.

On Oct 25, 2011, at 5:57 AM, Rob Weir wrote:

 On the wiki here:
 
 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post
 
 Feel free to make changes directly on the wiki, or suggest them as
 responses to this note.  I don't think we want to overburden the
 reader with a recitation of migration facts, but instead motivate them
 to take the desired actions.  But since this will be for many the
 first note they officially receive from the PPMC, it should probably
 have some introductory information, and a welcome and invitation to
 get involved (stay involved) with the project.
 
 -Rob

Re: working on a OpenOffice roadmap

I'm at a dinner so my apoligies for the top-post, but really, I'm trying to
help Pedro (and now it seems you) see things from /outside/ the Apache
worldview and understand why the mistrust is brewing. I can recidte the
Apache mantra too, it's just no-one here needs to hear it any more :-)

--
Simon Phipps
{Terse? Mobile!}
On Oct 25, 2011 3:01 PM, Shane Curcuru a...@shanecurcuru.org wrote:

 Thank you Pedro for the very well thought out and politely presented
 explanation of your point.  It's very helpful to have this kind of honest
 and detailed discussion, especially when tempers run high, and doubly so
 when there's such a clear (and unfortunate) distrust between AOOo community
 members and folks working on TDF/LO.

 Personally, I agree: the point is that if TDF/LO also encourages /
 documents as an additional optional step / even simply allows in some
 obvious public way for people submitting patches that could apply to AOOo
 under both licenses, that would be a big win for the ecosystem. AOOo code
 will already be fully useable by LO, so I find it hard to see what the harm
 is in allowing TDF/LO contributors to know about the option of dual
 licensing specific patches under the AL.

 This is certainly not something aimed at hurting LO, and certainly doesn't
 apply to new or changed work in LO.  But it would be nice to discuss the
 possibility of having code that both projects can use without getting
 everyone's hackles up.  Especially since the alternative seems to be that
 Simon (I think) is saying he'd effectively rather see everyone contributing
 code exclusively to one project, and explicitly not allowing it to be
 contributed into the other.

 This is exactly why I believe in the Apache license.  I believe that
 *people* should be free.  Users of our Apache software should be free to use
 it as they see fit.  If they contribute changes back, that's great - but
 what's important for open source is that humans now have access to a wealth
 of powerful software for free that they can use openly, easily, and for
 their own purposes, without undue restrictions.

 - Shane

 P.S. and really, while the iCLA is a required step to become a committer at
 Apache, it really shouldn't be such a large club to hit us over the head
 repeatedly.  It's not needed for most patches like I thought we were
 discussing here.

 On 10/25/2011 7:25 AM, Pedro Giffuni wrote:

 Hi Simon;

 I try to give people the benefit of the doubt. Ethos is
 something that goes well beyond a license, and once you
 read the iCLA its not an imposible thing to ask ( you
 signed it), and its surely not what SUN had in place.

 That said, and its something I have argued about
 publicly with Rob, while the iCLA is a requisite to
 become a committer, it is not a requisite to contribute.

 Furthermore, once we start doing releases (and trust me,
 we will get there) they are likely to start including AL2
 code anyways.

 Am I naive? Yes. I was never part of the previous OOo
 community led by SUN so perhaps not having that trauma
 helps me see things a lot simpler than they are.

 There is an evident lack of confidence in us over there
 and as I said before, in private, we cant start activities
 like a shared security list if there is no confidence first.

 I stand to the principle that we are neutral, and that
 every vendor or community member is free to join or leave
 whenever they want

 Pedro.

 --- On Tue, 10/25/11, Simon Phippssi...@webmink.com  wrote:


 On Mon, Oct 24, 2011
 at 8:20 PM, Pedro Giffunip...@apache.org
 wrote:





 If libreoffice encourages, but not requires, AL2

 for stuff in the core package, that would be a huge

 advance to get a bit nearer both camps.

 Given licenses are the expression of the ethos of a
 community, it's disingenuous and divisive to assume any
 community will drop its governance approach like this,
 Pedro. It translates as the path to collaboration is
 your surrender; we can negotiate once you've done
 that.  You make it sound so innocent, too, by missing
 out the other requirement that Apache would have for
 contributors to sign an ICLA and thus join Apache :-)



 S.

Re: Neutral / shared security list ...


On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
 You are welcome! I'm looking for common ground and I am trying to listen to 
 logic.

:-)

  So where does that leave us ? one approach that hasn't been discussed
  (and is perhaps a good compromise) - is for me to go ahead and setup the
  list @freedesktop, and for you guys to advertise the @ooo alias on your
  pages, and us to advertise the freedesktop one on ours.
..
  What do you think ?
 
 I think we are getting somewhere. The last detail is which is the real ML
 and which is the forwarder. While the AOOo project might prefer to have

Fair point - for ultra-fairness we should perhaps publish two
forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
both pointing at the neutrally hosted list.

Regards,

Michael.

-- 
michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

Re: Draft mailing list notification post

On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisher dave2w...@comcast.net wrote:
 I wonder if this is too technically detailed.

 Since the recipient is a ML user that impact should be noted near the top.

 The information about what the ASF / podling process is all about should be 
 at the end.


The feedback we received when we sent an earlier list migration note
to the users and discuss list, after we initially set up ooo-users,
was along the lines of Who the hell are you and why is this the first
we are hearing about the migration?.  That is why I put the
introductory ASF stuff at the top, to put it in context.

Of course, doing that could lead people to ignore the note, thinking
there is nothing important in it.  So that's why I started by saying
the note was important.  But I realize that that itself could increase
the chance of the email being ignored,  since emails that say they are
important rarely are.

So how can we have both an good intro as well as get a high response rate?

Maybe split this into two emails, and space them a week apart?  So one
email that is the intro, gives the background on the Incubation, the
migration effort, etc.  Short and sweet.  They might actually read it.
 Then follow a week later with As we previously mentioned in our note
last week  We're starting the list migration now. To join the new
list you will need to

Would that be better?

 Information here to go to find out about AOOo release plans would be helpful. 
 A wiki page with updates.


We have a release plan?   I suppose we can put a placeholder page.

 A link to the ooo blog.


Good idea.

Maybe also include on every post a link to the ooo-dev and ooo-users
lists, since those are our main ones.

-Rob

 On Oct 25, 2011, at 5:57 AM, Rob Weir wrote:

 On the wiki here:

 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

 Feel free to make changes directly on the wiki, or suggest them as
 responses to this note.  I don't think we want to overburden the
 reader with a recitation of migration facts, but instead motivate them
 to take the desired actions.  But since this will be for many the
 first note they officially receive from the PPMC, it should probably
 have some introductory information, and a welcome and invitation to
 get involved (stay involved) with the project.

 -Rob

Re: Neutral / shared security list ...

2011-10-25 Thread Wolf Halton

On Tue, Oct 25, 2011 at 1:55 PM, Michael Meeks michael.me...@suse.comwrote:


 On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
  You are welcome! I'm looking for common ground and I am trying to listen
 to logic.

 :-)

   So where does that leave us ? one approach that hasn't been
 discussed
   (and is perhaps a good compromise) - is for me to go ahead and setup
 the
   list @freedesktop, and for you guys to advertise the @ooo alias on your
   pages, and us to advertise the freedesktop one on ours.
 ..
   What do you think ?
 
  I think we are getting somewhere. The last detail is which is the real ML
  and which is the forwarder. While the AOOo project might prefer to have

 Fair point - for ultra-fairness we should perhaps publish two
 forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
 both pointing at the neutrally hosted list.

Regards,

Michael.

 --
 michael.me...@suse.com  , Pseudo Engineer, itinerant idiot

 +1 for neutral ground

-Wolf



-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com

Re: Draft mailing list notification post

2011-10-25 Thread Marcus (OOo)


Am 10/25/2011 07:58 PM, schrieb Rob Weir:

On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisherdave2w...@comcast.net  wrote:

I wonder if this is too technically detailed.

Since the recipient is a ML user that impact should be noted near the top.

The information about what the ASF / podling process is all about should be at 
the end.



The feedback we received when we sent an earlier list migration note
to the users and discuss list, after we initially set up ooo-users,
was along the lines of Who the hell are you and why is this the first
we are hearing about the migration?.  That is why I put the
introductory ASF stuff at the top, to put it in context.

Of course, doing that could lead people to ignore the note, thinking
there is nothing important in it.  So that's why I started by saying
the note was important.  But I realize that that itself could increase
the chance of the email being ignored,  since emails that say they are
important rarely are.

So how can we have both an good intro as well as get a high response rate?


There will be always a number of people that will not do what you (we) 
would expect. So, we should try to make it best as possible. IMHO the 
draft is that.



Maybe split this into two emails, and space them a week apart?  So one
email that is the intro, gives the background on the Incubation, the
migration effort, etc.  Short and sweet.  They might actually read it.
  Then follow a week later with As we previously mentioned in our note
last week  We're starting the list migration now. To join the new
list you will need to

Would that be better?


Maybe. But then the first mail should contain something like ... today 
we want to explain who we are, where the OOo project is going to and 
what will happen with this ML in x days. A second mail will be sent with 
more details and techncial stuff 



Information here to go to find out about AOOo release plans would be helpful. A 
wiki page with updates.



We have a release plan?   I suppose we can put a placeholder page.


A link to the ooo blog.



Good idea.


Yes, some more links for the normal user.


Maybe also include on every post a link to the ooo-dev and ooo-users
lists, since those are our main ones.


Marcus




On Oct 25, 2011, at 5:57 AM, Rob Weir wrote:


On the wiki here:

https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

Feel free to make changes directly on the wiki, or suggest them as
responses to this note.  I don't think we want to overburden the
reader with a recitation of migration facts, but instead motivate them
to take the desired actions.  But since this will be for many the
first note they officially receive from the PPMC, it should probably
have some introductory information, and a welcome and invitation to
get involved (stay involved) with the project.

-Rob

Re: [proposal] development for the first AOO release

2011-10-25 Thread Wolf Halton

Pedro ++


On Mon, Oct 24, 2011 at 11:26 AM, Pedro Giffuni p...@apache.org wrote:

 Please note that we are doing both simultaneously to
 avoid breaking the build.

 We do have to update the task list. There are some
 uncommitted advances (libegg, ucpp) and some WIP
 (nss), but there are still some binaries used in
 the windows build and the glibc stubs. Otherwise,
 we are doing pretty well and its a matter of hoping
 Oracle wont leave additional license holes in the
 SGA.

 Pedro.

 --- On Mon, 10/24/11, Oliver-Rainer Wittmann wrote:

  Hi,
 
  I would like to propose the following development
  milestones on our way to the first AOO release:
 
  - IP cleared milestone
  For this milestone we should remove all 3rd party
  components which are not compliant to Apache's Third-Party
  Licensing Policy [1]. All license headers in the source
  code files should be updated according to Oracle's SGA.
  Additionally, we may update certain information in the
  product in order to reflect that the product is now coming
  from Apache (e.g. the splash screen, the about dialog,
  ...).
  Then the IP review required by Apache could be performed in
  order to meet the corresponding requirements for our first
  release.
  This milestone would result in an OpenOffice.org missing a
  lot of important features, but this milestone would be the
  basis regarding Apache's IP rules. This milestone could be
  released according to the Apache rules.
 
  - features back milestone
  For this milestone we should work on bringing back the
  features which are lost in the previous milestone. I do not
  think that we have to bring back every feature for a first
  release. Thus, we would have got the possibility to work on
  the features which are of most interest. At some point we
  could create a release candidate and start working on
  stabilizing it for a first release, if we think that the
  must have features are back.
 
 
  In order to coordinate efforts and to avoid duplicate work
  I propose to use the IP clearance wiki page [2].
  The basis for its content is more or less the Apache
  Migration wiki page [3]. Some additional information has
  been collected on certain 3rd party components. Also
  priorities have been assigned. But its content is not
  nailed in stone. It currently reflects more or less the
  input and opionions of the editing contributors to these IP
  clearance issues. Thus, it would be a living document to
  reflect our knowlegde about these IP clearance issues. It
  would also document our efforts and our decisions regarding
  these efforts.
 
 
  Any remarks/comments/improvements/adjustments?
  Any objections to follow such plan for our first release?
 
 
  Best regards, Oliver.
 
  P.S.: I will be out-of-office for the rest of the week.
  Thus, I will probably not reply to your input regarding my
  proposal this week - please excuse.
 
  References:
  [1] http://www.apache.org/legal/3party.html
  [2] https://cwiki.apache.org/confluence/display/OOOUSERS/IP_Clearance
  [3] http://ooo-wiki.apache.org/wiki/ApacheMigration
 




-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com

Re: [Proposal] Shutting down legacy OOo mailing lists

Hi Rob,

On Oct 25, 2011, at 7:27 AM, Rob Weir wrote:

 On Mon, Oct 17, 2011 at 11:35 AM, Dave Fisher dave2w...@comcast.net wrote:
 
 snip
 In the three to four weeks that it will take to get to step (7) AOOo and 
 Apache Infra should have control over the openoffice.org MX records. An 
 easier alternative would be to decide what MX services we want to continue 
 on openoffice.org and do the MX migration at this point. Even if it will 
 bounce and/or forward email.
 
 
 Can we talk through that option a little more?  Take a legacy list
 like us...@openoffice.org.  If we try to handle this via the MX
 record, then that applies to the entire domain, all mailing lists as
 well as forwarding email account at openoffice.org.  Is that correct?
 In other words, the MX record is at the level of openoffice.org, not
 at the level of us...@openoffice.org.

Correct. It is the whole domain.

 So in the MX approach, is there any way to do a more gradual
 migration, or do we need to do it all at once, including the
 forwarding accounts?  I know for web traffic, there is some
 flexibility at the subdomain level.  But these are all the same
 domain, just differing by account.

When we leave Kenai/Oracle and move to ASF we are doing it all at once. In 
advance we will need to tell Infrastructure what forwarders and mailboxes we 
require. They'll tell us if there are any mailboxes (like postmaster) that we 
might be required to monitor (could be none.)

If securityteam@oo.o becomes a forwarder then that is one mailbox we don't need.


 
 Suppose there is some way to get over that.  Then we could create
 identically named (or predictably mappable) equivalent lists using
 ezmlm.  But since we're not able to automatically sign users up, the
 traffic forwarding would all end up in the moderator queues.  Of
 course, these could be passed through.  We could even white list the
 addresses.  (or black list in the case of spammers)  But it doesn't
 get people signed up on the ezmlm list.
 
 Where this might be useful is for cases where a legacy email list
 address is on a third party page, or maybe even in our own legacy list
 archives.  Someone does a Google search and sees something that says,
 If you run into this problem, please send an email to
 f...@openoffice.org.  Some degree of forwarding for these emails would
 ensure such users don't get lost.
 
 But we can't simple forward *.openoffice.org to a
 ooo-legacy-bucket.i.a.o email list, since many of the *.openoffice.org
 are personal forwarding addresses and contain personal content.  And
 some lists are private lists.  So any forwarding scheme would need to
 be very sensitive to these details and would likely need an actual
 enumeration of the 300 or so lists and the unknown number of official
 contact emails (webmaster, etc.) that we want to forward.

Your excursion into hypotheticals has led you back to reality. We have a table 
of forwarders and we ask Apache Infrastructure to implement it as part of 
hosting openoffice.org's MX.

The only question is if we need any openoffice.org mailboxes.

I think we have to either keep a set of personal OOo forwarders ala apache.org 
forwarders, or none at all. Forwarders not kept will bounce. It is possible 
that we can control of the 550 (?) unknown user bounce message. We'll need to 
ask Infrastructure about it.

We decided earlier not to keep personal forwarders.

We could make it so all the committers on AOOo could have openoffice.org 
forwarders to their apache.org addresses which then forward where selected.

 
 Do you see that path in a similar way?  Or do you see a simpler way of
 doing that?

Without the digression, yes, similar, but with the added question about real 
mailboxes.

Regards,
Dave


 
 -Rob

Re: Draft mailing list notification post

On Tue, Oct 25, 2011 at 2:16 PM, Marcus (OOo) marcus.m...@wtnet.de wrote:
 Am 10/25/2011 07:58 PM, schrieb Rob Weir:

 On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisherdave2w...@comcast.net
  wrote:

 I wonder if this is too technically detailed.

 Since the recipient is a ML user that impact should be noted near the
 top.

 The information about what the ASF / podling process is all about should
 be at the end.


 The feedback we received when we sent an earlier list migration note
 to the users and discuss list, after we initially set up ooo-users,
 was along the lines of Who the hell are you and why is this the first
 we are hearing about the migration?.  That is why I put the
 introductory ASF stuff at the top, to put it in context.

 Of course, doing that could lead people to ignore the note, thinking
 there is nothing important in it.  So that's why I started by saying
 the note was important.  But I realize that that itself could increase
 the chance of the email being ignored,  since emails that say they are
 important rarely are.

 So how can we have both an good intro as well as get a high response rate?

 There will be always a number of people that will not do what you (we) would
 expect. So, we should try to make it best as possible. IMHO the draft is
 that.

 Maybe split this into two emails, and space them a week apart?  So one
 email that is the intro, gives the background on the Incubation, the
 migration effort, etc.  Short and sweet.  They might actually read it.
  Then follow a week later with As we previously mentioned in our note
 last week  We're starting the list migration now. To join the new
 list you will need to

 Would that be better?

 Maybe. But then the first mail should contain something like ... today we
 want to explain who we are, where the OOo project is going to and what will
 happen with this ML in x days. A second mail will be sent with more details
 and techncial stuff 


We can also use the initial email to prompt the discussion on whether
there is sufficient interest for an NL list.   Requesting a new list
can take 1 or 2 weeks, so we do need some lead time for this,  An
initial note could be useful for that purpose.

 Information here to go to find out about AOOo release plans would be
 helpful. A wiki page with updates.


 We have a release plan?   I suppose we can put a placeholder page.

 A link to the ooo blog.


 Good idea.

 Yes, some more links for the normal user.

 Maybe also include on every post a link to the ooo-dev and ooo-users
 lists, since those are our main ones.

 Marcus



 On Oct 25, 2011, at 5:57 AM, Rob Weir wrote:

 On the wiki here:


 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

 Feel free to make changes directly on the wiki, or suggest them as
 responses to this note.  I don't think we want to overburden the
 reader with a recitation of migration facts, but instead motivate them
 to take the desired actions.  But since this will be for many the
 first note they officially receive from the PPMC, it should probably
 have some introductory information, and a welcome and invitation to
 get involved (stay involved) with the project.

 -Rob

Re: Neutral / shared security list ...

I am not in the PPMC specifically to avoid participating in this type of
discussions, but I have to say this, just IMHO:

I fail to understand why the ASF is not considered neutral, deep
inside I think the reason is simply because this year we got a bigger
toy in our Christmas tree that they wanted. Hope I am wrong.

We owe to our millions of users out there to maintain our own security
channels and we cannot delegate them to a third party. Looking for
an unrelated domain to handle our issues is like giving your children
to your neighbors so they educate them impartially.

If there is no interest in bringing the code bases together I think there
Is not much to gain on a shared security list on the long run.

Pedro.

Re: Neutral / shared security list ...

Hi Pedro, *,

On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org wrote:
 I am not in the PPMC specifically to avoid participating in this type of
 discussions, but I have to say this, just IMHO:

 I fail to understand why the ASF is not considered neutral,

The ASF people is not the big problem. It is having @openoffice.org or
@apache.org as part of the address.

You wouldn't be OK with the list being @libreoffice.org or
@documentfoundation.org, would you?

Those are not neutral either. As I don't think this point is so hard
to understand, I can only assume Rob is reiterating on this stuff and
throwing in trust is what matters on purpose.

This has nothing to do with trust.

 We owe to our millions of users out there to maintain our own security
 channels and we cannot delegate them to a third party.

So why do you think it is OK for TDF/LibreOffice to do so?

(I know you're now switching from the neutrality issue to the
administration part, but that once again is a different issue. Here is
where trust also comes into play, but not any more than you have to
trust the people who are subscribed to those lists)

 Looking for
 an unrelated domain to handle our issues is like giving your children
 to your neighbors so they educate them impartially.

For TDF,  @apache.org or @openoffice.org would be unrelated, a
different party.

ciao
Christian

Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance

Hi Robert, *,

On Tue, Oct 25, 2011 at 5:05 PM, Robert Burrell Donkin
robertburrelldon...@gmail.com wrote:
 On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier
 cl...@openoffice.org wrote:
 On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin
 robertburrelldon...@gmail.com wrote:
 On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier
 cl...@openoffice.org wrote:
 [...]
 Better to download the signature over HTTPS but yes, I see no reason
 why this approach could not be made to work

 With signature I meant a real signature (gpg signature), not a md5sum
 or sha1sum file.
 When it is a cryptographic signature, it doesn't matter how you
 download it, as it cannot be faked.
 (of course the user has to get the proper key, but that's a different issue)

 FWIW it's a defense in depth measure[1]
[...]
 [1] Consider an attacker with some ability to fabricate convincing
 signatures.

Define convincing signatures. If anyone were to be able to create
convincing gpg singatures of Apache releases, then this...

 Downloading the signature from a trusted server means that
 such an attacker would need to replace an existing signature on secure
 hardware without detection.

is moot anyway, the lesser problem to be concerned about. And this
btw. is not any different than to download the torrent via https.

 So it is not a matter of infrastructure, but a matter of policy.

 Where's the URL for this policy?

I didn't mean to imply there was a set-in-stone policy already. What I
meant was that it is up to the project to decide whether torrents are
used or not, that the technical implementation of using torrents is so
simple that apache infrastructure is not needed at all. You want
torrents, you got torrents. You don't want them, you just don't use
them.

(Of course I don't know whether Apache as a whole has a written policy
or guidelines wrt. using torrents, but I don't think there is one)

ciao
Christian

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 2:52 PM, Christian Lohmaier
cl...@openoffice.org wrote:
 Hi Pedro, *,

 On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org wrote:
 I am not in the PPMC specifically to avoid participating in this type of
 discussions, but I have to say this, just IMHO:

 I fail to understand why the ASF is not considered neutral,

 The ASF people is not the big problem. It is having @openoffice.org or
 @apache.org as part of the address.

 You wouldn't be OK with the list being @libreoffice.org or
 @documentfoundation.org, would you?

 Those are not neutral either. As I don't think this point is so hard
 to understand, I can only assume Rob is reiterating on this stuff and
 throwing in trust is what matters on purpose.

 This has nothing to do with trust.


I think it has everything to do with trust, and nothing to do with neutrality.

TDF is not the only other party in the universe.  We are glad to hear
your opinions, but they are not determinative of our actions.  We also
need to be concerned with the trust of users, with other downstream
consumers and with security researchers.  As a name, an apache.org
addresses is far more trusted in this area than any new name that you
might find for a list.  In the end, trust is earned.  It is not
something you buy from GoDaddy.

-Rob

 We owe to our millions of users out there to maintain our own security
 channels and we cannot delegate them to a third party.

 So why do you think it is OK for TDF/LibreOffice to do so?

 (I know you're now switching from the neutrality issue to the
 administration part, but that once again is a different issue. Here is
 where trust also comes into play, but not any more than you have to
 trust the people who are subscribed to those lists)

 Looking for
 an unrelated domain to handle our issues is like giving your children
 to your neighbors so they educate them impartially.

 For TDF,  @apache.org or @openoffice.org would be unrelated, a
 different party.

 ciao
 Christian

Re: Neutral / shared security list ...

Hi Pedro,

On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote:

 I am not in the PPMC specifically to avoid participating in this type of
 discussions, but I have to say this, just IMHO:

I appreciate your decision to focus on the code. Project management keeps 
pulling me away from code ... for too many years.

 
 I fail to understand why the ASF is not considered neutral, deep
 inside I think the reason is simply because this year we got a bigger
 toy in our Christmas tree that they wanted. Hope I am wrong.

Michael Meeks and Florian have been explicit today that openoffice.org as a 
destination is not considered neutral by the TDF.

I haven't explicitly asked if an apache.org address is not sufficiently neutral 
... I suspect not.

I think about this as a branding decision by TDF about LO and not our business.

 We owe to our millions of users out there to maintain our own security
 channels and we cannot delegate them to a third party. Looking for
 an unrelated domain to handle our issues is like giving your children
 to your neighbors so they educate them impartially.

There should be no doubt that ooo-security@i.a.o will remain as the project's 
security list.

If there is a meta-list for security for all of the peers in the OOo / LO and 
the rest community. This is some confederation that shares security issues in a 
private manner between peers. The peers have the mutual interest of their 
communities in mind.

 
 If there is no interest in bringing the code bases together I think there
 Is not much to gain on a shared security list on the long run.

There is a need for co-operation regardless of the code divergence. The code 
will retain significant commonality. The ODF format is a standard. There will 
be common security issues.

One could argue that the such co-operative lists should include all of the 
Microsoft Office community as well. Both LO and OOo implement OOXML and the 
binary MS Office formats. I won't because I suspect that it is a bridge too far.

Regards,
Dave

 
 Pedro.

Re: [Proposal] Security coordination without a shared list

2011-10-25 Thread Kay Schenk




On 10/25/2011 09:08 AM, Rob Weir wrote:

There is an easy way to avoid all the trust issues with regards to
shared mailing lists.  Don't have such a list.  Trust individuals.
This proposal takes this approach.


Actually I personally like this idea. Why? There have been many 
statements/testimonies to the fact that the LO  contains a great deal of 
code that is NOT in any of the OOo releases, and is now quite different. 
And, presumably, the LO development will continue to be different enough 
to warrant it's own separate universe of mailing lists. I think at some 
point if we decided we really truly wanted to have a shared security 
list, it would become very difficult to determine who was the 
responsible party for the grievances. I might be exaggerating the 
problems since I'm not a developer, but, then again, maybe not.


So, although I'd love to see us work more closely with LO, I believe 
separate security lists are in order.




1) The AOOo PMC solicits the names of security contacts from related
projects who wish to be consulted related to pre-disclosure
coordination related to analysis and resolution of reported security
vulnerabilities.  Names of individuals are preferred over opaque
mailing lists.  Trust can be established based on a PGP/GPG web of
trust.  These names and addresses are stored confidentially in the
PPMC's private SVN directory.

2) The AOOo security team reaches out to these contacts, as
appropriate,v ia their preferred contact mechanism,  to coordinate on
specific vulnerabilities.  We (Apache) would cc ooo-security on our
external emails, as required by Apache policy [1].

3) Other groups would be encouraged to reach out to AOOo in similar
circumstances via our preferred contact mechanism, ooo-security.

4) This fully allows targeted collaboration on specific issues, via
each project's preferred contact mechanism,  without requiring the
maintenance of an additional email list.

5)  If we want to discuss security in general, then that can/should
happen on public dev lists.That public discussion could occur
anywhere.


[1]: http://www.apache.org/security/committers.html


--

MzK

This is no social crisis
 Just another tricky day for you.
 -- Tricky Day, the Who

Re: Neutral / shared security list ...


--- On Tue, 10/25/11, Christian Lohmaier cl...@openoffice.org wrote:

 Hi Pedro, *,
 
 On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org
 wrote:
  I am not in the PPMC specifically to avoid
 participating in this type of
  discussions, but I have to say this, just IMHO:
 
  I fail to understand why the ASF is not considered
 neutral,
 
 The ASF people is not the big problem. It is having
 @openoffice.org or @apache.org as part of the address.
 
 You wouldn't be OK with the list being @libreoffice.org or
 @documentfoundation.org, would you?
 

There is one difference: for all purposes we are what
LibreOffice is about to call upstream. Whatever happens
in OpenOffice.org is likely to also affect LO.

 Those are not neutral either. As I don't think this point
 is so hard
 to understand, I can only assume Rob is reiterating on this
 stuff and
 throwing in trust is what matters on purpose.
 
 This has nothing to do with trust.
 
  We owe to our millions of users out there to maintain
 our own security
  channels and we cannot delegate them to a third
 party.
 
 So why do you think it is OK for TDF/LibreOffice to do so?
 

LibreOffice, RedOffice, Lotus and other vendors are likely
to have their own independent channels too. I am not
against that but the idea is to have a single place where
all OOo derivatives can share experiences and attack
common problems. All of them share a quite big chunk
of code and we are extending the courtesy of the united
domain to everyone.

 (I know you're now switching from the neutrality issue to
 the
 administration part, but that once again is a different
 issue. Here is
 where trust also comes into play, but not any more than you
 have to
 trust the people who are subscribed to those lists)
 
  Looking for
  an unrelated domain to handle our issues is like
 giving your children
  to your neighbors so they educate them impartially.
 
 For TDF,  @apache.org or @openoffice.org would be
 unrelated, a different party.
 

Thats exactly the silly part. We are calling for unity
and collaboration, TDF is calling for mistrust and
division.

Pedro.

RE: Neutral / shared security list ...

Rob,

It is an interesting social observation that distrust is not exemplary of being 
trustworthy. (Distrust is a kind of permission to be righteously untrustworthy, 
as is too easily demonstrated in world affairs as well as closer to home in 
regard to specific events already discussed on this list.)

In my thinking, the first act of being trustworthy is being trusting of those 
you want to recognize you as trustworthy.

Enough about that.

I do want to disassociate AOOo from the ASF record over the years.  That is not 
the AOOo record. AOOo is not even six months old.  AOOo needs to establish its 
trustworthiness the old-fashioned way, and it is not by inheritance or even by 
association.  Not yet.

 - Dennis

-Original Message-
From: Rob Weir [mailto:robw...@apache.org] 
Sent: Tuesday, October 25, 2011 09:12
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 11:56 AM, Florian Effenberger
flo...@documentfoundation.org wrote:
 Hello,

 it is really amazing how much hot air can be produced for such a topic.

 Folks, it's rather easy. After the recent discussions and the history of
 this topic, it becomes obvious, that neutral grounds are important.

 Neutral grounds mean:
 - no domain name related to Apache, OOo, TDF or LibO
 - no hosting at one of these entities
 - members of the list from both parties (and of course other third parties
 that make sense)
 - admins of the list from both parties


Sorry, but you build an incredible about of distrust in others if you
express such irrational distrust in AOOo.  I'd have extreme hesitation
to work with anyone who exhibs such vehement distrust of an 11 year
old open source foundation that produces 5 of the top 10 open source
projects, and which has a stellar reputation in the industry,
including its treatment of security vulnerabilities.

-Rob

[ ... ]

RE: Neutral / shared security list ...

Having some lists on Sourceforge makes it clear to me that you don't want to go 
there.  My sourceforge e-mail address, the one associated with the lists, 
receives an incredible number of bounces of false e-mails allegedly from the 
list as well as crap sent to the list.  It is difficult to avoid conclusion 
that some of this is attributable to successful hacking into the list servers.  
That may be in the past, but there is no visibility and accountability about it 
that I have found.

There is a strong requirement for a vigilant host that is intolerant of lax 
security and that provides all of the appropriate safeguards and privacy of the 
kind required for a community security list.  Such a list has a bulls-eye on 
its back and a big ATTACK ME arrow pointed at it.

I recommended, and am still inclined to recommend, ASF for hosting for 
precisely the reasons that they are vigilant and this is also demonstrated in 
how they are vigilant with regard to the integrity of their code bases, the 
releases, and their authenticity.  There is little question, to me, that ASF is 
likely going to outlast many alternatives for such a facility.

I view this as separate from issues about governance of the list itself and the 
conditions for membership on the list.  Because security lists are by necessity 
used for sensitive information, they cannot be public.  The challenge is to 
still have tranparency and accountability over how the list is governed and 
operated, as a list, and who the participants (or at least, what organizations 
are represented, for participants who are there as representatives of 
particular projects).  By the way, I know of no list that expects reporters to 
it (who also might submit packages) to have signed any kind of license 
agreement.  Maybe that happens.  I am not aware of it.

I think Rob summarized the trust issues perfectly well.

Since there does not appear to be a situation where blind trust is present, nor 
called for, the challenge is to build trust from some initial basis on which 
there is alignment.  

One case has to deal with trust in the impartiality and the serious 
professional conduct of the hosting organization, whatever the list is and 
whatever its Internet address is.  I still claim that the best choice of those 
offered so far is ASF.  

Whatever other candidates for hosting are, there needs to be strong agreement 
on the measures that qualifies that choice that inspires mutual trust, apart 
from where the domain name is.

 - Dennis

-Original Message-
From: Florian Effenberger [mailto:flo...@documentfoundation.org] 
Sent: Tuesday, October 25, 2011 08:56
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

Hello,

it is really amazing how much hot air can be produced for such a topic.

Folks, it's rather easy. After the recent discussions and the history of 
this topic, it becomes obvious, that neutral grounds are important.

Neutral grounds mean:
- no domain name related to Apache, OOo, TDF or LibO
- no hosting at one of these entities
- members of the list from both parties (and of course other third 
parties that make sense)
- admins of the list from both parties

I'd also avoid any of the German associations, either directly or via 
donations, since stakeholders at both projects are in their respective 
boards, which might raise concerns towards neutrality.

What's so complicated to understand here? We can bury ourselves with 
senselessly quoting bullshit from dictionaries, wikipedia or a 
philospher of our choice, or finally start working on things.

A concrete proposal:
- We can use either FreeDesktop.org,
- or in case this is seen as non-neutral as it hosts also a few TDF 
lists (not all), go for SourceForge.
- I am also happy to ask a friend of mine who is in the business of mail 
server consultancy, to host that list under a neutral domain name. He 
hosts various lists for free projects. In case that's not neutral enough 
as he's a friend, I know none of the admins at SourceForge.

So, is there any *compelling* reason not to try out one of these three 
options?

Florian

-- 
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

Re: Neutral / shared security list ...


On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote:

 
 On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
 You are welcome! I'm looking for common ground and I am trying to listen to 
 logic.
 
   :-)
 
 So where does that leave us ? one approach that hasn't been discussed
 (and is perhaps a good compromise) - is for me to go ahead and setup the
 list @freedesktop, and for you guys to advertise the @ooo alias on your
 pages, and us to advertise the freedesktop one on ours.
 ..
 What do you think ?
 
 I think we are getting somewhere. The last detail is which is the real ML
 and which is the forwarder. While the AOOo project might prefer to have
 
   Fair point - for ultra-fairness we should perhaps publish two
 forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
 both pointing at the neutrally hosted list.

This leads to an interesting approach that can be taken by any peer.

(1) There is a neutrally hosted Security ML for all Peers. Individuals are 
signed up representing one or more peers. The individuals are private. The 
peers are public. LO, AOOo, ODF Toolkit, RedOffice, Lotus Symphony, ...

(2) Each peer project can maintain their own private security list.

(3) Each peer project has an email forwarder that forwards email to (1) and 
optionally (2).

(4) Each peer project should have a security page with links to any private 
security list and when to use the neutrally hosted / shared list. Having a 
public list of the peers on the shared list is essential to properly informing 
the user where they are sending their security report. If the peer list 
included links to each peer's security web page that would be helpful.

A neutral domain name like office-security.org would be registered. Perhaps 
Team OpenOffice can help by buying the domain and setting up Mailing list 
hosting. I suspect that hosting details can be discussed among the 
securityteam@oo.o members.

Regards,
Dave

Re: Neutral / shared security list ...



--- On Tue, 10/25/11, Dave Fisher dave2w...@comcast.net wrote:


 Hi Pedro,
 
 On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote:
 
  I am not in the PPMC specifically to avoid
 participating in this type of
  discussions, but I have to say this, just IMHO:
 
 I appreciate your decision to focus on the code. Project
 management keeps pulling me away from code ... for too many
 years.
 
  
  I fail to understand why the ASF is not considered
 neutral, deep
  inside I think the reason is simply because this year
 we got a bigger
  toy in our Christmas tree that they wanted. Hope I am
 wrong.
 
 Michael Meeks and Florian have been explicit today that
 openoffice.org as a destination is not considered neutral by
 the TDF.
 
 I haven't explicitly asked if an apache.org address is not
 sufficiently neutral ... I suspect not.
 
 I think about this as a branding decision by TDF about LO
 and not our business.
 

Yes, you are right. I will keep away from any further
discussion in this unintresting thread. :-P

Pedro.

RE: Neutral / shared security list ...

+1

I am very much in support of the view that Dave has evolved in this discussion. 
  The discussion is not about the private security teams each project must have 
to deal with its security issues and to ensure the secure operation of the 
dealing with security issues.

If there is to be a community location for sharing concerning common 
vulnerabilities and security concerns among those teams, a kind of secure 
channel among the parties, like a multilateral hot line, some trustworthy basis 
for that has to be achieved.  The security of our users in relying on our 
products and their interchange protocols and formats is paramount.  Ultimately, 
that is the bedrock for enduring the discomfort of finding ways to accomplish 
this that is trustworthy for all of the participants.

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 12:30
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

Hi Pedro,

On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote:

 I am not in the PPMC specifically to avoid participating in this type of
 discussions, but I have to say this, just IMHO:

I appreciate your decision to focus on the code. Project management keeps 
pulling me away from code ... for too many years.

 
 I fail to understand why the ASF is not considered neutral, deep
 inside I think the reason is simply because this year we got a bigger
 toy in our Christmas tree that they wanted. Hope I am wrong.

Michael Meeks and Florian have been explicit today that openoffice.org as a 
destination is not considered neutral by the TDF.

I haven't explicitly asked if an apache.org address is not sufficiently neutral 
... I suspect not.

I think about this as a branding decision by TDF about LO and not our business.

 We owe to our millions of users out there to maintain our own security
 channels and we cannot delegate them to a third party. Looking for
 an unrelated domain to handle our issues is like giving your children
 to your neighbors so they educate them impartially.

There should be no doubt that ooo-security@i.a.o will remain as the project's 
security list.

If there is a meta-list for security for all of the peers in the OOo / LO and 
the rest community. This is some confederation that shares security issues in a 
private manner between peers. The peers have the mutual interest of their 
communities in mind.

 
 If there is no interest in bringing the code bases together I think there
 Is not much to gain on a shared security list on the long run.

There is a need for co-operation regardless of the code divergence. The code 
will retain significant commonality. The ODF format is a standard. There will 
be common security issues.

One could argue that the such co-operative lists should include all of the 
Microsoft Office community as well. Both LO and OOo implement OOXML and the 
binary MS Office formats. I won't because I suspect that it is a bridge too far.

Regards,
Dave

 
 Pedro.

RE: Draft mailing list notification post

+1

Good eye!

[For me, the first problem is to get it all written down.  Then the problem is 
to figure out how to make it the most useful to the reader, ideally by having 
the biggest questions answered first.  For everything but the first part (and 
sometimes that too), it is useful to have someone else's eye on the material.]

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 10:46
To: ooo-dev@incubator.apache.org
Subject: Re: Draft mailing list notification post

I wonder if this is too technically detailed.

Since the recipient is a ML user that impact should be noted near the top.

The information about what the ASF / podling process is all about should be at 
the end.

Information here to go to find out about AOOo release plans would be helpful. A 
wiki page with updates.

A link to the ooo blog.

On Oct 25, 2011, at 5:57 AM, Rob Weir wrote:

 On the wiki here:
 
 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post
 
 Feel free to make changes directly on the wiki, or suggest them as
 responses to this note.  I don't think we want to overburden the
 reader with a recitation of migration facts, but instead motivate them
 to take the desired actions.  But since this will be for many the
 first note they officially receive from the PPMC, it should probably
 have some introductory information, and a welcome and invitation to
 get involved (stay involved) with the project.
 
 -Rob

Re: Draft mailing list notification post

2011-10-25 Thread Kay Schenk

On Tue, Oct 25, 2011 at 5:57 AM, Rob Weir robw...@apache.org wrote:

 On the wiki here:

 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

 Feel free to make changes directly on the wiki, or suggest them as
 responses to this note.  I don't think we want to overburden the
 reader with a recitation of migration facts, but instead motivate them
 to take the desired actions.  But since this will be for many the
 first note they officially receive from the PPMC, it should probably
 have some introductory information, and a welcome and invitation to
 get involved (stay involved) with the project.

 -Rob


I'll use the note approach.

take this sentence out entirely--most users wont' know or care about the
back-end technology

As part of the migration to the Apache servers we will be switching from
the SYMPA mailing list manager to ezmlm, which the rest of Apache uses.

the rest reads OK without it.

Take out Note items #1, and #4.

Keep things as simple as possible would be my advice.
Pretty good though. Let's just hope they actually do read the whole thing.







-- 
---
MzK

This is no social crisis
 Just another tricky day for you.
 -- Tricky Day, the Who

RE: Neutral / shared security list ...

Umm, head-slap moment.

I happen to be the proud owner of worthiness.org.  

Truly.  

It is not hosted, but I have been sitting on the domain name for several years. 
 It was part of my M.Sc in IT project on Open Systems Trustworthiness.  I won't 
go into that here.  There is a reasonable capsule of where I got on the subject 
of trustworthiness here: 
http://orcmid.com/blog/2008/05/trust-but-demonstrate.asp.  I stand by that.  
For the current conversation, it is useful to leap to the end.

I have the domain so I could create an organization with regard to 
certification and assurance processes. I fancy tr...@worthiness.org as an 
identity with regard to digital signatures for attestations and counter-signing 
of other attestations that had been audited successfully.

This can be made available for a security-community retargeting too. 

It is clearly INELIGIBLE for a *trustworthy* neutral HOSTING.  First, if I fail 
to renew the domain-name lease (by disappearing from the mortal plane, or other 
disability), too bad.  Secondly, if the hosting site I would lease anything on 
were to fail or be hacked, I would have no recourse.  And then there is the 
matter of vigilance around the site, its backup, and most of all, protection of 
the sensitivity of the conversations that are conducted on its list. As an 
individual, I am not able to offer the care that is required, nor should I be 
relied upon to do so.

So, that's how neutrality is not trustworthiness, OK?

On the other hand, worthiness.org might be useful.  I am rather attached to it 
though.  

 - Dennis

(It is difficult to find domain names with trust in them, which is why I have 
the peculiar TROSTing.org domain too -- that and an inability to come up with a 
meaningful project title that abbreviated to TRUST.)

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 13:01
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...


On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote:

 
 On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
 You are welcome! I'm looking for common ground and I am trying to listen to 
 logic.
 
   :-)
 
 So where does that leave us ? one approach that hasn't been discussed
 (and is perhaps a good compromise) - is for me to go ahead and setup the
 list @freedesktop, and for you guys to advertise the @ooo alias on your
 pages, and us to advertise the freedesktop one on ours.
 ..
 What do you think ?
 
 I think we are getting somewhere. The last detail is which is the real ML
 and which is the forwarder. While the AOOo project might prefer to have
 
   Fair point - for ultra-fairness we should perhaps publish two
 forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
 both pointing at the neutrally hosted list.

This leads to an interesting approach that can be taken by any peer.

(1) There is a neutrally hosted Security ML for all Peers. Individuals are 
signed up representing one or more peers. The individuals are private. The 
peers are public. LO, AOOo, ODF Toolkit, RedOffice, Lotus Symphony, ...

(2) Each peer project can maintain their own private security list.

(3) Each peer project has an email forwarder that forwards email to (1) and 
optionally (2).

(4) Each peer project should have a security page with links to any private 
security list and when to use the neutrally hosted / shared list. Having a 
public list of the peers on the shared list is essential to properly informing 
the user where they are sending their security report. If the peer list 
included links to each peer's security web page that would be helpful.

A neutral domain name like office-security.org would be registered. Perhaps 
Team OpenOffice can help by buying the domain and setting up Mailing list 
hosting. I suspect that hosting details can be discussed among the 
securityteam@oo.o members.

Regards,
Dave

Mailing list user migration: Staging and volunteers

A quick summary of where we are, in case you haven't been following
the previous threads.

Information on the top 100 legacy mailing lists is on the wiki [1].
A draft note that will be sent to these lists is an another page [2].

If you note in that first page, the Migration Owner column is blank.
 So either I need to quickly learn French, Dutch and Japanese, or I
need some help here.

Volunteers would translate the note, send it to the relevant NL lists,
and be available on those lists to answer any migration-related
questions.  Ideally you would already be a participant on the lists
and familiar to that community.

As for staging, I'd recommend that we do not do this all at once.
Migrating 100 lists at once would be very messy.  But we can easily
break this down into related groups of lists and do the migration over
a few weeks.  One possible staging would be:

1) All the lists that will be merged into the new ooo-marketing list.
This will help jump start that lists important work, and bring
community members into the discussion who might not have been
interested in the other topics we've been discussing on ooo-dev.

2) All of the lists that will be merged into ooo-dev

3) All of the lists that will be merged into ooo-users

4) NL lists (which could be done in parallel with the above.  However,
they will require some discussion and admin work to create new
ooo-lang lists,)

The thought behind this staging is that we work out the kinks with
the more technical and (hopefully) more forgiving project lists,
before moving on to the user and NL lists.  We can adjust the
instructions and messaging based on what we learn from the initial
migrations.

Regards,

-Rob

[1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists
[2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post

Re: Neutral / shared security list ...


Hello Ian,

Ian Lynch wrote on 2011-10-25 19:18:

Well babies are usually made from love and tenderness (unless it's a
mistake) and I don't see too much of that in this approach. At least to get
started why not do it on a neutral list? Florian has made a perfectly
reasonable case for it. Is that so much to give up just to get something
going? In terms of baby making I'd say we need some serious marriage
guidance before even talking about getting in bed together never mind
wrapping anything in latex.


thank you for being reasonable and seeing what my proposal intends -- 
really, that's truly appreciated.


Seeing all those proposals coming in -- no list at all, everyone 
forwards to each other etc. -- simply makes no sense. It creates 
overhead, it makes things slow, and that just for the sake of not 
agreeing to a simple proposal, it feels.


To sum up my proposal again: If we are on neutral grounds, nobody loses 
anything, but we all can win. It is not about telling any entity is not 
trustworthy enough -- it simply is the easiest solution for a topic that 
has been cooking for weeks now.


The easiest solution -- and anyone with common sense should agree -- is 
to have a shared list on neutral grounds. Not involving ASF, AOOo, 
TeamOOo, neither TDF, LibO, FrODeV.


That is fair to anyone, does not exclude anyone, does not benefit one 
over the other -- it's easy, simple, and the best way to go. Sure, 
everyone can create own aliases pointing to that list, but the core is 
the same, and that's what matters.


If you folks now start complaining about we don't trust Apache, we can 
answer by complaining you don't trust TDF and so on. It's a horrible 
waste of time, it's lame, it does not help anyone, and it makes me doubt 
we're talking amongst adults, seriously.


And, really, all this crap being tossed around about trustworthiness, 
upstream, downstream, code similarities and insults is worth not even 
the digital paper it's written on.


I made a simple, plain, and easy proposal. Don't make things overly 
complicated, folks.


Thanks for considering,
Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

Re: Mailing list user migration: Staging and volunteers

On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenk kay.sch...@gmail.com wrote:
 On Tue, Oct 25, 2011 at 2:30 PM, Rob Weir robw...@apache.org wrote:

 A quick summary of where we are, in case you haven't been following
 the previous threads.

 Information on the top 100 legacy mailing lists is on the wiki [1].
 A draft note that will be sent to these lists is an another page [2].

 If you note in that first page, the Migration Owner column is blank.
  So either I need to quickly learn French, Dutch and Japanese, or I
 need some help here.

 Volunteers would translate the note, send it to the relevant NL lists,
 and be available on those lists to answer any migration-related
 questions.  Ideally you would already be a participant on the lists
 and familiar to that community.

 As for staging, I'd recommend that we do not do this all at once.
 Migrating 100 lists at once would be very messy.  But we can easily
 break this down into related groups of lists and do the migration over
 a few weeks.  One possible staging would be:

 1) All the lists that will be merged into the new ooo-marketing list.
 This will help jump start that lists important work, and bring
 community members into the discussion who might not have been
 interested in the other topics we've been discussing on ooo-dev.

 2) All of the lists that will be merged into ooo-dev

 3) All of the lists that will be merged into ooo-users

 4) NL lists (which could be done in parallel with the above.  However,
 they will require some discussion and admin work to create new
 ooo-lang lists,)

 The thought behind this staging is that we work out the kinks with
 the more technical and (hopefully) more forgiving project lists,
 before moving on to the user and NL lists.  We can adjust the
 instructions and messaging based on what we learn from the initial
 migrations.

 Regards,

 -Rob


 Have the new NL lists been setup already? I may have missed that and I
 haven't look at any jira tix.


No NL lists yet, except for Japanese.  We need moderator volunteers
before we can request them.

Process for getting a new mailing list created is here:

http://www.apache.org/dev/committers.html#new-mailing-list

Probably makes sense to start with the largest NL communities first?


 [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists
 [2]
 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post




 --
 ---
 MzK

 This is no social crisis
  Just another tricky day for you.
                 -- Tricky Day, the Who

Re: Mailing list user migration: Staging and volunteers

2011-10-25 Thread Andrew Rist




On 10/25/2011 2:43 PM, Rob Weir wrote:

On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenkkay.sch...@gmail.com  wrote:

On Tue, Oct 25, 2011 at 2:30 PM, Rob Weirrobw...@apache.org  wrote:


A quick summary of where we are, in case you haven't been following
the previous threads.

Information on the top 100 legacy mailing lists is on the wiki [1].
A draft note that will be sent to these lists is an another page [2].

If you note in that first page, the Migration Owner column is blank.
  So either I need to quickly learn French, Dutch and Japanese, or I
need some help here.

Volunteers would translate the note, send it to the relevant NL lists,
and be available on those lists to answer any migration-related
questions.  Ideally you would already be a participant on the lists
and familiar to that community.

As for staging, I'd recommend that we do not do this all at once.
Migrating 100 lists at once would be very messy.  But we can easily
break this down into related groups of lists and do the migration over
a few weeks.  One possible staging would be:

1) All the lists that will be merged into the new ooo-marketing list.
This will help jump start that lists important work, and bring
community members into the discussion who might not have been
interested in the other topics we've been discussing on ooo-dev.

2) All of the lists that will be merged into ooo-dev

3) All of the lists that will be merged into ooo-users

4) NL lists (which could be done in parallel with the above.  However,
they will require some discussion and admin work to create new
ooo-lang lists,)

The thought behind this staging is that we work out the kinks with
the more technical and (hopefully) more forgiving project lists,
before moving on to the user and NL lists.  We can adjust the
instructions and messaging based on what we learn from the initial
migrations.

Regards,

-Rob



Have the new NL lists been setup already? I may have missed that and I
haven't look at any jira tix.


No NL lists yet, except for Japanese.  We need moderator volunteers
before we can request them.

Process for getting a new mailing list created is here:

http://www.apache.org/dev/committers.html#new-mailing-list

Probably makes sense to start with the largest NL communities first?

Have we considered having a list for 'un-represented languages'?
If a user does not find their language, where do they go?  Posting to 
the English list or ooo-dev in another language is frowned on.

This is a bootstrapping question.
Where can a community go to say that they exist, have a need, and would 
like to create a list.


I understand we don't want to create dead lists, and don't want to 
create a list that cannot be self sustainable,

but it seems like there is a gap here for bringing in new communities.



[1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists
[2]
https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post




--
---
MzK

This is no social crisis
  Just another tricky day for you.
 -- Tricky Day, the Who



--

Andrew Rist | Interoperability Architect
OracleCorporate Architecture Group
Redwood Shores, CA | 650.506.9847

RE: [proposal] Neutral / shared security list ...

Dave, if you are going to do that, just relabeling a thread is not helpful.

Please compose a specific concrete proposal under a [DISCUSS], and announce the 
duration and end-time for a lazy consensus at the top.

Give it at least 3 full 24-hour calendar days. 

I don't have any sense that there is alignment yet, but there may be in that 
time and I am happy to be mistaken.  Then at the end, if there is a consensus, 
please report what it is.

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 15:35
To: ooo-dev@incubator.apache.org
Cc: flo...@documentfoundation.org
Subject: Re: [proposal] Neutral / shared security list ...

Hi -

Sorry to reply to myself.

Even though there are choices in this email. Please view it as a proposal. 
Where we are seeking lazy consensus.

On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:

 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.

The proposal is to pick a domain and get registration  Simon volunteers to help.


 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free. 
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)
 
 
 
 /insert

The proposal is for the exiting securityteam to choose, the above are two 
possibilities.


 
 
 
 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.
 
 I think it is very important for the public to know who all of the projects
 are on the shared ML.

I propose that this shared security team provide a list of participating peers 
to the public.

 
 Are we done already :-)
 
 Let's let the world revolve to see if we have some Consensus.

Revolve 3x or 72 hours.

Regards,
Dave

 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.
 
 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible
 waste of time, it's lame, it does not help anyone, and it makes me doubt
 we're talking amongst adults, seriously.
 
 And, really, all this crap being tossed around about trustworthiness,
 upstream, downstream, code similarities and insults is worth not even
 the digital paper it's written on.
 
 I made a simple, plain, and easy proposal. Don't make things overly
 complicated, folks.
 
 Thanks for considering,
 Florian
 
 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff
 
 
 
 
 
 -- 
 Simon Phipps
 +1 415 683 7660 : www.webmink.com

Re: [proposal] Neutral / shared security list ...

Dennis,

I've gone as far as I want with this for now. I'll see what people say on this 
existing thread.

I have no desire to fight a formality battle with Rob and his other, 
non-co-operative [proposal]. I put enough time today into diplomacy.

Regards,
Dave

On Oct 25, 2011, at 3:44 PM, Dennis E. Hamilton wrote:

 Dave, if you are going to do that, just relabeling a thread is not helpful.
 
 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.
 
 Give it at least 3 full 24-hour calendar days. 
 
 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.
 
 - Dennis
 
 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net] 
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...
 
 Hi -
 
 Sorry to reply to myself.
 
 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.
 
 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
 
 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.
 
 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.
 
 
 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free. 
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)
 
 
 
 /insert
 
 The proposal is for the exiting securityteam to choose, the above are two 
 possibilities.
 
 
 
 
 
 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.
 
 I think it is very important for the public to know who all of the projects
 are on the shared ML.
 
 I propose that this shared security team provide a list of participating 
 peers to the public.
 
 
 Are we done already :-)
 
 Let's let the world revolve to see if we have some Consensus.
 
 Revolve 3x or 72 hours.
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.
 
 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible
 waste of time, it's lame, it does not help anyone, and it makes me doubt
 we're talking amongst adults, seriously.
 
 And, really, all this crap being tossed around about trustworthiness,
 upstream, downstream, code similarities and insults is worth not even
 the digital paper it's written on.
 
 I made a simple, plain, and easy proposal. Don't make things overly
 complicated, folks.
 
 Thanks for considering,
 Florian
 
 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff
 
 
 
 
 
 -- 
 Simon Phipps
 +1 415 683 7660 : www.webmink.com

[CODE] Review i104788 - framework::DropdownToolbarController: dispatch does not get selected item text

2011-10-25 Thread Ariel Constenla-Haile

Hi there,

can someone in the know of framework/API stuff review i104788?
https://issues.apache.org/ooo/show_bug.cgi?id=104788
The issue is 2 years old, and the fix is rather simple.

Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina


pgp9kZqQHiSQY.pgp
Description: PGP signature

Re: Neutral / shared security list ...

2011-10-25 Thread Andrew Rist

I will drop off this thread after this post, as it seems that things are 
working toward a solution.
I would suggest though that it is rather frustrating to see all of this 
ink and blood spilt over what seems to be a misunderstanding.

--continued inline --

On 10/25/2011 3:40 PM, Florian Effenberger wrote:

Hi,

Andrew Rist wrote on 2011-10-26 00:34:

I do not understand why this is easier than continuing on the existing
list.


when I asked that last time, I heard various replies:

- You need to be an iCLA signer to be on that list.
You don't - you never have.  This list has been in existence for several 
years, and this has not changed.


- You need to be an Apache contributor to be on that list.
You don't - you never have.  This list has been in existence for several 
years, and this has not changed.


- We have no administrative access to that list.
This had not been an issue to date - it seems that this is solvable, and 
a way to create trust between the communities.


I'll add another issue that has been thrown out
  - people getting thrown off the list or excluded
This also has not happened.


Thus,
it is a bit frustrating to listen to this conversation and the search 
for a cure to a problem that may not have actually ever existed.

/rant
Andrew







In the meantime, a bunch of other proposals have come in.

Looking at the history of this issue (Michael outlined it very well), 
I think a neutral, trusted ground is the best way to cooperate in this 
matter.


And again, I think everyone benefits the same from my proposal, with 
no one overly preferred, and nobody losing anything. It demands the 
same from everyone.


Florian



--

Andrew Rist | Interoperability Architect
OracleCorporate Architecture Group
Redwood Shores, CA | 650.506.9847

RE: [proposal] Neutral / shared security list ...

Oh, and the most important part:

In want way is the AOOo party to the consensus that is reached?  That 
ooo-security (an agent of the PPMC, essentially) will participate in the 
described community arrangement if established? Something else?

I think that would be essential to bringing this to a successful conclusion.

-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] 
Sent: Tuesday, October 25, 2011 15:45
To: 'ooo-dev@incubator.apache.org'
Cc: 'Dave Fisher'
Subject: RE: [proposal] Neutral / shared security list ...

Dave, if you are going to do that, just relabeling a thread is not helpful.

Please compose a specific concrete proposal under a [DISCUSS], and announce the 
duration and end-time for a lazy consensus at the top.

Give it at least 3 full 24-hour calendar days. 

I don't have any sense that there is alignment yet, but there may be in that 
time and I am happy to be mistaken.  Then at the end, if there is a consensus, 
please report what it is.

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 15:35
To: ooo-dev@incubator.apache.org
Cc: flo...@documentfoundation.org
Subject: Re: [proposal] Neutral / shared security list ...

Hi -

Sorry to reply to myself.

Even though there are choices in this email. Please view it as a proposal. 
Where we are seeking lazy consensus.

On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:

 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.

The proposal is to pick a domain and get registration  Simon volunteers to help.


 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free. 
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)
 
 
 
 /insert

The proposal is for the exiting securityteam to choose, the above are two 
possibilities.


 
 
 
 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.
 
 I think it is very important for the public to know who all of the projects
 are on the shared ML.

I propose that this shared security team provide a list of participating peers 
to the public.

 
 Are we done already :-)
 
 Let's let the world revolve to see if we have some Consensus.

Revolve 3x or 72 hours.

Regards,
Dave

 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.
 
 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible
 waste of time, it's lame, it does not help anyone, and it makes me doubt
 we're talking amongst adults, seriously.
 
 And, really, all this crap being tossed around about trustworthiness,
 upstream, downstream, code similarities and insults is worth not even
 the digital paper it's written on.
 
 I made a simple, plain, and easy proposal. Don't make things overly
 complicated, folks.
 
 Thanks for considering,
 Florian
 
 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff
 
 
 
 
 
 -- 
 Simon Phipps
 +1 415 683 7660 : www.webmink.com

[CODE] Review i118519 and i118520 - gtk quickstarter and libegg

2011-10-25 Thread Ariel Constenla-Haile

Hi there,

can someone in the know of framework/gtk stuff please review patches attached
to https://issues.apache.org/ooo/show_bug.cgi?id=118519 and
https://issues.apache.org/ooo/show_bug.cgi?id=118520

Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina


pgpuGZjVreNys.pgp
Description: PGP signature

Re: Neutral / shared security list ...

On Tue, Oct 25, 2011 at 6:40 PM, Florian Effenberger
flo...@documentfoundation.org wrote:
 Hi,

 Andrew Rist wrote on 2011-10-26 00:34:

 I do not understand why this is easier than continuing on the existing
 list.

 when I asked that last time, I heard various replies:


Oh, Florian, you have either misread or have been mislead.  Every one
of these points is false.  If you really had this impression, there is
a tragic misunderstanding here.

 - You need to be an iCLA signer to be on that list.


False.  No iCLA is required to participate on the list.  It never was
before and no one has suggested adding that requirement.  Where
exactly did you read this?

 - You need to be an Apache contributor to be on that list.


False.  Where exactly did you read this?

 - We have no administrative access to that list.


False.  We've offered to allow TDF/LO moderators.

 In the meantime, a bunch of other proposals have come in.

 Looking at the history of this issue (Michael outlined it very well), I
 think a neutral, trusted ground is the best way to cooperate in this matter.

 And again, I think everyone benefits the same from my proposal, with no one
 overly preferred, and nobody losing anything. It demands the same from
 everyone.

 Florian

 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff

Re: [proposal] Neutral / shared security list ...

On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
 Oh, and the most important part:

 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?


It would be good to also include in the proposal how IP will be
treated.  By my reading of the iCLA this would not be covered, since
it is not an Apache list.  We'd need to make some other agreement,
take it to legal-discuss, etc.

 I think that would be essential to bringing this to a successful conclusion.

 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...

 Dave, if you are going to do that, just relabeling a thread is not helpful.

 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.

 Give it at least 3 full 24-hour calendar days.

 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.

  - Dennis

 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...

 Hi -

 Sorry to reply to myself.

 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.

 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:

 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:

 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote:


 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.

 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?


 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.

 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.

 These are both interesting ideas.

 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.






 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free.

 slight snip/

 And:

 insert

 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:

 snip/


 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.

 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)



 /insert

 The proposal is for the exiting securityteam to choose, the above are two 
 possibilities.





 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.

 I think it is very important for the public to know who all of the projects
 are on the shared ML.

 I propose that this shared security team provide a list of participating 
 peers to the public.


 Are we done already :-)

 Let's let the world revolve to see if we have some Consensus.

 Revolve 3x or 72 hours.

 Regards,
 Dave


 Regards,
 Dave


 Regards,
 Dave


 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.

 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible
 waste of time, it's lame, it does not help anyone, and it makes me doubt
 we're talking amongst adults, seriously.

 And, really, all this crap being tossed around about trustworthiness,
 upstream, downstream, code similarities and insults is worth not even
 the digital paper it's written on.

 I made a simple, plain, and easy proposal. Don't make things overly
 complicated, folks.

 Thanks for considering,
 Florian

 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff





 --
 Simon Phipps
 +1 415 683 7660 :

Re: Mailing list user migration: Staging and volunteers

2011-10-25 Thread Kay Schenk

On Tue, Oct 25, 2011 at 2:43 PM, Rob Weir robw...@apache.org wrote:

 On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenk kay.sch...@gmail.com wrote:
  On Tue, Oct 25, 2011 at 2:30 PM, Rob Weir robw...@apache.org wrote:
 
  A quick summary of where we are, in case you haven't been following
  the previous threads.
 
  Information on the top 100 legacy mailing lists is on the wiki [1].
  A draft note that will be sent to these lists is an another page [2].
 
  If you note in that first page, the Migration Owner column is blank.
   So either I need to quickly learn French, Dutch and Japanese, or I
  need some help here.
 
  Volunteers would translate the note, send it to the relevant NL lists,
  and be available on those lists to answer any migration-related
  questions.  Ideally you would already be a participant on the lists
  and familiar to that community.
 
  As for staging, I'd recommend that we do not do this all at once.
  Migrating 100 lists at once would be very messy.  But we can easily
  break this down into related groups of lists and do the migration over
  a few weeks.  One possible staging would be:
 
  1) All the lists that will be merged into the new ooo-marketing list.
  This will help jump start that lists important work, and bring
  community members into the discussion who might not have been
  interested in the other topics we've been discussing on ooo-dev.
 
  2) All of the lists that will be merged into ooo-dev
 
  3) All of the lists that will be merged into ooo-users
 
  4) NL lists (which could be done in parallel with the above.  However,
  they will require some discussion and admin work to create new
  ooo-lang lists,)
 
  The thought behind this staging is that we work out the kinks with
  the more technical and (hopefully) more forgiving project lists,
  before moving on to the user and NL lists.  We can adjust the
  instructions and messaging based on what we learn from the initial
  migrations.
 
  Regards,
 
  -Rob
 
 
  Have the new NL lists been setup already? I may have missed that and I
  haven't look at any jira tix.
 

 No NL lists yet, except for Japanese.  We need moderator volunteers
 before we can request them.

 Process for getting a new mailing list created is here:

 http://www.apache.org/dev/committers.html#new-mailing-list

 Probably makes sense to start with the largest NL communities first?


OK, thanks, I need to think about this...a good approach, etc.



 
  [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists
  [2]
 
 https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post
 
 
 
 
  --
 
 ---
  MzK
 
  This is no social crisis
   Just another tricky day for you.
  -- Tricky Day, the Who
 




-- 
---
MzK

This is no social crisis
 Just another tricky day for you.
 -- Tricky Day, the Who

Re: Neutral / shared security list ...

On Wed, Oct 26, 2011 at 12:22 AM, Rob Weir robw...@apache.org wrote:

 On Tue, Oct 25, 2011 at 6:18 PM, Simon Phipps si...@webmink.com wrote:
  On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net
 wrote:
 
 
  Agreed. We need to pick a neutral domain name. office-security.org is
  apparently free.
 
  Some institution needs to buy domain registration. I've been the
 volunteer
  registrar for a social groups domain, it is a pain to transition. This
 needs
  to be an institution, it could be Team OOo?
 
 
  I think they are too close to the matter.  SPI exists specifically to
 hold
  assets in trust - perhaps they would hold the registration for us all?
  If
  we agree I'd be happy to volunteer to contact them.
 

 At Apache we make proposals and seek lazy consensus, typically 72
 hours.  I see nothing urgent here that would make us bypass that part
 of our decision making process.


Is this addressed to me or to someone else, Rob? I haven't seen anyone
suggesting any process be bypassed, so I am very confused by this statement.



 I look forward to reading the specifics of your proposal.  I've made mine.

 -Rob


  It's also possible we could ask OSI to do it - Jim Jagielski and I are
 both
  on the Board at present.
 
 
 
  An ISP for hosting the private ML needs to be selected. Dennis suggests
  that the ASF could be that ISP for free. Could the TDF be the ISP? Isn't
  that for you to say? I agree it is not the main issue.
 
  securityteam@oo.o is migrated to whatever the new list is, and those
  people start administrating.
 
  I think it is very important for the public to know who all of the
 projects
  are on the shared ML.
 
  Are we done already :-)
 
  Regards,
  Dave
 
  
   That is fair to anyone, does not exclude anyone, does not benefit one
   over the other -- it's easy, simple, and the best way to go. Sure,
   everyone can create own aliases pointing to that list, but the core is
   the same, and that's what matters.
  
   If you folks now start complaining about we don't trust Apache, we can
   answer by complaining you don't trust TDF and so on. It's a horrible
   waste of time, it's lame, it does not help anyone, and it makes me
 doubt
   we're talking amongst adults, seriously.
  
   And, really, all this crap being tossed around about trustworthiness,
   upstream, downstream, code similarities and insults is worth not even
   the digital paper it's written on.
  
   I made a simple, plain, and easy proposal. Don't make things overly
   complicated, folks.
  
   Thanks for considering,
   Florian
  
   --
   Florian Effenberger flo...@documentfoundation.org
   Steering Committee and Founding Member of The Document Foundation
   Tel: +49 8341 99660880 | Mobile: +49 151 14424108
   Skype: floeff | Twitter/Identi.ca: @floeff
  
 
 
 
 
  --
  Simon Phipps
  +1 415 683 7660 : www.webmink.com
 




-- 
Simon Phipps
+1 415 683 7660 : www.webmink.com

Re: [proposal] Neutral / shared security list ...


On Oct 25, 2011, at 4:01 PM, Dennis E. Hamilton wrote:

 Oh, and the most important part:
 
 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?

The assumption is that whoever we have on ooo-security that is on 
securityteam@oo.o will be the PPMC's agent on securityteam@oo.o and its neutral 
successor. Should securityteam@oo.o suddenly be acceptable then the plan is 
simplified.

 
 I think that would be essential to bringing this to a successful conclusion.

Yes.

Regards,
Dave

 
 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] 
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...
 
 Dave, if you are going to do that, just relabeling a thread is not helpful.
 
 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.
 
 Give it at least 3 full 24-hour calendar days. 
 
 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.
 
 - Dennis
 
 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net] 
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...
 
 Hi -
 
 Sorry to reply to myself.
 
 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.
 
 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
 
 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.
 
 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.
 
 
 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free. 
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)
 
 
 
 /insert
 
 The proposal is for the exiting securityteam to choose, the above are two 
 possibilities.
 
 
 
 
 
 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.
 
 I think it is very important for the public to know who all of the projects
 are on the shared ML.
 
 I propose that this shared security team provide a list of participating 
 peers to the public.
 
 
 Are we done already :-)
 
 Let's let the world revolve to see if we have some Consensus.
 
 Revolve 3x or 72 hours.
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.
 
 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible
 waste of time, it's lame, it does not help anyone, and it makes me doubt
 we're talking amongst adults, seriously.
 
 And, really, all this crap being tossed around about trustworthiness,
 upstream, downstream, code similarities and insults is worth not even
 the digital paper it's written on.
 
 I made a simple, plain, and easy proposal. Don't make things overly
 complicated, folks.
 
 Thanks for considering,
 Florian
 
 --
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff |

RE: Neutral / shared security list ...

Andrew, I think part of the confusion is from the discussion leading up to the 
creation of ooo-security and some related discussion about why securityteam@ 
was not enough at that time.

Without getting into the he-said,she-said part of it, that seems to be the 
origin.  There was more when the TDF announcement about a CVE came up and 
securityteam@ was discussed in that context.

In the face of that, I think it is essential that there be a trustworthy 
statement to the effect that none of the things that have not happened will 
also not happen when ASF has custody.  

Absent that, this situation continues.  Perhaps even despite that.  But such an 
ASF-backed [PPMC] declaration would accomplish a great deal, it seems to me.

 - Dennis 





-Original Message-
From: Andrew Rist [mailto:andrew.r...@oracle.com] 
Sent: Tuesday, October 25, 2011 15:59
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...

I will drop off this thread after this post, as it seems that things are 
working toward a solution.
I would suggest though that it is rather frustrating to see all of this 
ink and blood spilt over what seems to be a misunderstanding.
--continued inline --

On 10/25/2011 3:40 PM, Florian Effenberger wrote:
 Hi,

 Andrew Rist wrote on 2011-10-26 00:34:
 I do not understand why this is easier than continuing on the existing
 list.

 when I asked that last time, I heard various replies:

 - You need to be an iCLA signer to be on that list.
You don't - you never have.  This list has been in existence for several 
years, and this has not changed.

 - You need to be an Apache contributor to be on that list.
You don't - you never have.  This list has been in existence for several 
years, and this has not changed.

 - We have no administrative access to that list.
This had not been an issue to date - it seems that this is solvable, and 
a way to create trust between the communities.

I'll add another issue that has been thrown out
   - people getting thrown off the list or excluded
This also has not happened.


Thus,
it is a bit frustrating to listen to this conversation and the search 
for a cure to a problem that may not have actually ever existed.
/rant
Andrew






 In the meantime, a bunch of other proposals have come in.

 Looking at the history of this issue (Michael outlined it very well), 
 I think a neutral, trusted ground is the best way to cooperate in this 
 matter.

 And again, I think everyone benefits the same from my proposal, with 
 no one overly preferred, and nobody losing anything. It demands the 
 same from everyone.

 Florian


-- 

Andrew Rist | Interoperability Architect
OracleCorporate Architecture Group
Redwood Shores, CA | 650.506.9847

Re: [proposal] Neutral / shared security list ...


On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:

 On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
 dennis.hamil...@acm.org wrote:
 Oh, and the most important part:
 
 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?
 
 
 It would be good to also include in the proposal how IP will be
 treated.  By my reading of the iCLA this would not be covered, since
 it is not an Apache list.  We'd need to make some other agreement,
 take it to legal-discuss, etc.

I'm not so sure.

ooo-security is responsible for assuring that security fixes for AOOo are AL2 
compatible. If the shared security group is not producing compatible IP in 
response to a security threat that is a different problem. If it happens often 
then ooo-security will need to discuss this with ooo-private.

We can make it a mission statement of this group to help all the peers produce 
fixes that are compatible with their licenses. I don't think we can guarantee 
all individuals on the team will be able to always do so. Requiring such an 
affirmation is clearly a blocker for some individual's participation.

Regards,
Dave

 
 I think that would be essential to bringing this to a successful conclusion.
 
 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...
 
 Dave, if you are going to do that, just relabeling a thread is not helpful.
 
 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.
 
 Give it at least 3 full 24-hour calendar days.
 
 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.
 
  - Dennis
 
 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...
 
 Hi -
 
 Sorry to reply to myself.
 
 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.
 
 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
 
 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net 
 wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.
 
 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.
 
 
 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free.
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)
 
 
 
 /insert
 
 The proposal is for the exiting securityteam to choose, the above are two 
 possibilities.
 
 
 
 
 
 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.
 
 I think it is very important for the public to know who all of the 
 projects
 are on the shared ML.
 
 I propose that this shared security team provide a list of participating 
 peers to the public.
 
 
 Are we done already :-)
 
 Let's let the world revolve to see if we have some Consensus.
 
 Revolve 3x or 72 hours.
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 Regards,
 Dave
 
 
 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.
 
 If you folks now start complaining about we don't trust Apache, we

RE: [proposal] Neutral / shared security list ...

+1

along with, as Rob mentioned, whatever legal and security@ apache.org review 
is needed from ASF for us to conduct the securityteam@ OO.o list that way, if 
that is the case.  I am thinking this is not so difficult.  Having 
ooo-security@ representatives at a different location is probably even less 
difficult in that respect.

In any case, having feedback from those parties during your [DISCUSS] would be 
helpful.

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net]
Sent: Tuesday, October 25, 2011 16:12
To: dennis.hamil...@acm.org
Cc: ooo-dev@incubator.apache.org
Subject: Re: [proposal] Neutral / shared security list ...


On Oct 25, 2011, at 4:01 PM, Dennis E. Hamilton wrote:

 Oh, and the most important part:

 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?

The assumption is that whoever we have on ooo-security that is on 
securityteam@oo.o will be the PPMC's agent on securityteam@oo.o and its 
neutral successor. Should securityteam@oo.o suddenly be acceptable then the 
plan is simplified.


 I think that would be essential to bringing this to a successful conclusion.

Yes.

Regards,
Dave


 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...

 Dave, if you are going to do that, just relabeling a thread is not helpful.

 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.

 Give it at least 3 full 24-hour calendar days.

 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.

 - Dennis

 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...

 Hi -

 Sorry to reply to myself.

 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.

 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:

 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:

 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net 
 wrote:


 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.

 Some institution needs to buy domain registration. I've been the 
 volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?


 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.

 It's also possible we could ask OSI to do it - Jim Jagielski and I are 
 both
 on the Board at present.

 These are both interesting ideas.

 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.






 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free.

 slight snip/

 And:

 insert

 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:

 snip/


 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.

 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)



 /insert

 The proposal is for the exiting securityteam to choose, the above are two 
 possibilities.





 securityteam@oo.o is migrated to whatever the new list is, and those
 people start administrating.

 I think it is very important for the public to know who all of the 
 projects
 are on the shared ML.

 I propose that this shared security team provide a list of participating 
 peers to the public.


 Are we done already :-)

 Let's let the world revolve to see if we have some Consensus.

 Revolve 3x or 72 hours.

 Regards,
 Dave


 Regards,
 Dave


 Regards,
 Dave


 That is fair to anyone, does not exclude anyone, does not benefit one
 over the other -- it's easy, simple, and the best way to go. Sure,
 everyone can create own aliases pointing to that list, but the core is
 the same, and that's what matters.

 If you folks now start complaining about we don't trust Apache, we can
 answer by complaining you don't trust TDF and so on. It's a horrible

Re: Neutral / shared security list ...


Hi,

Andrew Rist wrote on 2011-10-26 00:58:

I will drop off this thread after this post, as it seems that things are
working toward a solution.


I indeed hope for a solution soon. Too much time has been wasted 
already, rather than working productively, so if we really would move 
towards a solution, I'd applaud that.



I would suggest though that it is rather frustrating to see all of this
ink and blood spilt over what seems to be a misunderstanding.


Well, if I recall, my initial proposal has been to simply keep things as 
is, with the existing list, the contacts on it, and the way things 
worked. I was told that this does not fit to the Apache way and does not 
work, that separate lists are required and so on and so on. I was 
proposing the easiest way in the beginning, it was not desired for some 
formal/philosophical/whatever reason.


I tried again this time with proposing a neutral, trustworthy 
third-party to host things, hoping this will be accepted by all parties. 
Let's see how this turns out.


Florian

--
Florian Effenberger flo...@documentfoundation.org
Steering Committee and Founding Member of The Document Foundation
Tel: +49 8341 99660880 | Mobile: +49 151 14424108
Skype: floeff | Twitter/Identi.ca: @floeff

RE: [proposal] Neutral / shared security list ...

It seems to me that sharing fixes is not nearly as crucial as sharing 
identification of vulnerabilities and a little hobnobbing on how the 
vulnerability will be made known when it exists in more than one project's 
releases.  There might not be coordinated patching and releasing.  It all 
depends.  It might not be one-patch fixes all.  Contribution of a patch that is 
worked up can be dealt with in a concrete case.  The idea is that this is a 
cooperative activity and we'll do the right thing.  (I found out how to put 
we in my messages and route around my auto-corrector objection.)

But this is about what is likely to happen. The question, for now, is having 
the shared forum or not.

 - Dennis

-Original Message-
From: Dave Fisher [mailto:dave2w...@comcast.net] 
Sent: Tuesday, October 25, 2011 16:20
To: ooo-dev@incubator.apache.org
Subject: Re: [proposal] Neutral / shared security list ...


On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:

 On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
 dennis.hamil...@acm.org wrote:
 Oh, and the most important part:
 
 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?
 
 
 It would be good to also include in the proposal how IP will be
 treated.  By my reading of the iCLA this would not be covered, since
 it is not an Apache list.  We'd need to make some other agreement,
 take it to legal-discuss, etc.

I'm not so sure.

ooo-security is responsible for assuring that security fixes for AOOo are AL2 
compatible. If the shared security group is not producing compatible IP in 
response to a security threat that is a different problem. If it happens often 
then ooo-security will need to discuss this with ooo-private.

We can make it a mission statement of this group to help all the peers produce 
fixes that are compatible with their licenses. I don't think we can guarantee 
all individuals on the team will be able to always do so. Requiring such an 
affirmation is clearly a blocker for some individual's participation.

Regards,
Dave

 
 I think that would be essential to bringing this to a successful conclusion.
 
 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...
 
 Dave, if you are going to do that, just relabeling a thread is not helpful.
 
 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.
 
 Give it at least 3 full 24-hour calendar days.
 
 I don't have any sense that there is alignment yet, but there may be in that 
 time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.
 
  - Dennis
 
 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...
 
 Hi -
 
 Sorry to reply to myself.
 
 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.
 
 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
 
 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net 
 wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been the volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?
 
 
 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.
 
 It's also possible we could ask OSI to do it - Jim Jagielski and I are both
 on the Board at present.
 
 These are both interesting ideas.
 
 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.
 
 
 
 
 
 
 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free.
 
 slight snip/
 
 And:
 
 insert
 
 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:
 
 snip/
 
 
 If we basically agree that such a list as outlined by me is a way to go, I 
 am happy to ask a friend of mine who has a very good reputation in being a 
 mail server, mailing list and security expert, with a very good track 
 record, including all sorts of certifications. He is offering e-mail 
 services as business.
 
 I just don't want to spread the name publically without asking him first, 
 and I don't want to ask him, before we have some common understanding. :-)

Re: [proposal] Neutral / shared security list ...

On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher dave2w...@comcast.net wrote:

 On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:

 On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
 dennis.hamil...@acm.org wrote:
 Oh, and the most important part:

 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?


 It would be good to also include in the proposal how IP will be
 treated.  By my reading of the iCLA this would not be covered, since
 it is not an Apache list.  We'd need to make some other agreement,
 take it to legal-discuss, etc.

 I'm not so sure.


Think of it this way: where else at Apache is it permissible for an
Incubation project to collaborate on project code on a private
non-Apache list, with no agreement on license, no mentor visibility,
and no audit trail for Apache members to inspect?  This doesn't sound
like the kind of diligence Apache projects traditionally give to IP
issues everywhere else.  We owe it to our users and ourselves to get
this right.

 ooo-security is responsible for assuring that security fixes for AOOo are AL2 
 compatible. If the shared security group is not producing compatible IP in 
 response to a security threat that is a different problem. If it happens 
 often then ooo-security will need to discuss this with ooo-private.


Putting the responsibility on ooo-security members in such an
untenable situation will only lead to the resignation of ooo-security
members.  I think we need some way to enforce this.

From what I'm reading, not even Apache committers who have signed the
iCLA are bound to the iCLA for contributions made on some ad-hoc,
private, non-Apache list.

 We can make it a mission statement of this group to help all the peers 
 produce fixes that are compatible with their licenses. I don't think we can 
 guarantee all individuals on the team will be able to always do so. Requiring 
 such an affirmation is clearly a blocker for some individual's participation.


I think then we need to weight having a smashing fun party with LO
hackers in a private, unauditable list with no license discipline
versus Apache's primary mission of producing software for public use
under the Apache 2.0 license.

The alternative is to step back, realize that Florian has confused
what the PPMC position is on securityteam participation and take that
route.  Since that would be an Apache list, AOOo committers would
already be covered. And we could cover the remaining users via a Terms
of Use statement for the list.

-Rob

 Regards,
 Dave


 I think that would be essential to bringing this to a successful conclusion.

 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...

 Dave, if you are going to do that, just relabeling a thread is not helpful.

 Please compose a specific concrete proposal under a [DISCUSS], and announce 
 the duration and end-time for a lazy consensus at the top.

 Give it at least 3 full 24-hour calendar days.

 I don't have any sense that there is alignment yet, but there may be in 
 that time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.

  - Dennis

 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...

 Hi -

 Sorry to reply to myself.

 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.

 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:

 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:

 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net 
 wrote:


 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.

 Some institution needs to buy domain registration. I've been the 
 volunteer
 registrar for a social groups domain, it is a pain to transition. This 
 needs
 to be an institution, it could be Team OOo?


 I think they are too close to the matter.  SPI exists specifically to hold
 assets in trust - perhaps they would hold the registration for us all?  If
 we agree I'd be happy to volunteer to contact them.

 It's also possible we could ask OSI to do it - Jim Jagielski and I are 
 both
 on the Board at present.

 These are both interesting ideas.

 The proposal is to pick a domain and get registration  Simon volunteers to 
 help.






 An ISP for hosting the private ML needs to be selected. Dennis suggests
 that the ASF could be that ISP for free.

 slight snip/

 And:

 insert

 On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote:

 snip/


 If we basically agree that

Re: Neutral / shared security list ...


On Oct 25, 2011, at 4:25 PM, Florian Effenberger wrote:

 Hi,
 
 Andrew Rist wrote on 2011-10-26 00:58:
 I will drop off this thread after this post, as it seems that things are
 working toward a solution.
 
 I indeed hope for a solution soon. Too much time has been wasted already, 
 rather than working productively, so if we really would move towards a 
 solution, I'd applaud that.
 
 I would suggest though that it is rather frustrating to see all of this
 ink and blood spilt over what seems to be a misunderstanding.
 
 Well, if I recall, my initial proposal has been to simply keep things as is, 
 with the existing list, the contacts on it, and the way things worked. I was 
 told that this does not fit to the Apache way and does not work, that 
 separate lists are required and so on and so on. I was proposing the easiest 
 way in the beginning, it was not desired for some 
 formal/philosophical/whatever reason.

There were a lot of conflicting remarks.

 I tried again this time with proposing a neutral, trustworthy third-party to 
 host things, hoping this will be accepted by all parties. Let's see how this 
 turns out.

Let us know if securityteam@oo.o is now preferred. Otherwise you can see my 
proposal which I think is essentially yours.

Regards,
Dave



 
 Florian
 
 -- 
 Florian Effenberger flo...@documentfoundation.org
 Steering Committee and Founding Member of The Document Foundation
 Tel: +49 8341 99660880 | Mobile: +49 151 14424108
 Skype: floeff | Twitter/Identi.ca: @floeff

Re: [proposal] Neutral / shared security list ...


On Oct 25, 2011, at 4:43 PM, Rob Weir wrote:

 On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher dave2w...@comcast.net wrote:
 
 On Oct 25, 2011, at 4:05 PM, Rob Weir wrote:
 
 On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton
 dennis.hamil...@acm.org wrote:
 Oh, and the most important part:
 
 In want way is the AOOo party to the consensus that is reached?  That 
 ooo-security (an agent of the PPMC, essentially) will participate in the 
 described community arrangement if established? Something else?
 
 
 It would be good to also include in the proposal how IP will be
 treated.  By my reading of the iCLA this would not be covered, since
 it is not an Apache list.  We'd need to make some other agreement,
 take it to legal-discuss, etc.
 
 I'm not so sure.
 
 
 Think of it this way: where else at Apache is it permissible for an
 Incubation project to collaborate on project code on a private
 non-Apache list, with no agreement on license, no mentor visibility,
 and no audit trail for Apache members to inspect?  This doesn't sound
 like the kind of diligence Apache projects traditionally give to IP
 issues everywhere else.  We owe it to our users and ourselves to get
 this right.

We only care about the code that actually makes it into AOOo. Only ooo-security 
members will be committing code fixes for AOOo security issues.

 
 ooo-security is responsible for assuring that security fixes for AOOo are 
 AL2 compatible. If the shared security group is not producing compatible IP 
 in response to a security threat that is a different problem. If it happens 
 often then ooo-security will need to discuss this with ooo-private.
 
 
 Putting the responsibility on ooo-security members in such an
 untenable situation will only lead to the resignation of ooo-security
 members.  I think we need some way to enforce this.

If it becomes a problem then we deal with it on ooo-private as a community 
problem. Either we'll need more PPMC on ooo-security or there will be a 
tangible issue to resolve.

 
 From what I'm reading, not even Apache committers who have signed the
 iCLA are bound to the iCLA for contributions made on some ad-hoc,
 private, non-Apache list.

So?

 We can make it a mission statement of this group to help all the peers 
 produce fixes that are compatible with their licenses. I don't think we can 
 guarantee all individuals on the team will be able to always do so. 
 Requiring such an affirmation is clearly a blocker for some individual's 
 participation.
 
 
 I think then we need to weight having a smashing fun party with LO
 hackers in a private, unauditable list with no license discipline
 versus Apache's primary mission of producing software for public use
 under the Apache 2.0 license.

Code through Community. I'm trying to find a way to keep the larger community 
together.

You are asserting that the list will be unauditable when the ASF is still a 
possible ISP?

You are asserting a smashing fun party problem that is not visible to me.

 
 The alternative is to step back, realize that Florian has confused
 what the PPMC position is on securityteam participation and take that
 route.  Since that would be an Apache list, AOOo committers would
 already be covered. And we could cover the remaining users via a Terms
 of Use statement for the list.

I'm trying to get there, but let's not forget that others have raised the 
domain neutrality requirement.

Regards,
Dave

 
 -Rob
 
 Regards,
 Dave
 
 
 I think that would be essential to bringing this to a successful 
 conclusion.
 
 -Original Message-
 From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
 Sent: Tuesday, October 25, 2011 15:45
 To: 'ooo-dev@incubator.apache.org'
 Cc: 'Dave Fisher'
 Subject: RE: [proposal] Neutral / shared security list ...
 
 Dave, if you are going to do that, just relabeling a thread is not helpful.
 
 Please compose a specific concrete proposal under a [DISCUSS], and 
 announce the duration and end-time for a lazy consensus at the top.
 
 Give it at least 3 full 24-hour calendar days.
 
 I don't have any sense that there is alignment yet, but there may be in 
 that time and I am happy to be mistaken.  Then at the end, if there is a 
 consensus, please report what it is.
 
  - Dennis
 
 -Original Message-
 From: Dave Fisher [mailto:dave2w...@comcast.net]
 Sent: Tuesday, October 25, 2011 15:35
 To: ooo-dev@incubator.apache.org
 Cc: flo...@documentfoundation.org
 Subject: Re: [proposal] Neutral / shared security list ...
 
 Hi -
 
 Sorry to reply to myself.
 
 Even though there are choices in this email. Please view it as a proposal. 
 Where we are seeking lazy consensus.
 
 On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote:
 
 On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote:
 
 On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net 
 wrote:
 
 
 Agreed. We need to pick a neutral domain name. office-security.org is
 apparently free.
 
 Some institution needs to buy domain registration. I've been

Re: Mailing list user migration: Staging and volunteers