Re: Areas for cooperation between AOOO and LO [was: Cooperation withRe: Neutral / shared security list ...]
Seems to me that while the focus is political point scoring, aggression, sarcasm and such the chances of getting cooperation are zero. On 25 October 2011 00:32, Rob Weir robw...@apache.org wrote: On Mon, Oct 24, 2011 at 7:11 PM, Simon Phipps si...@webmink.com wrote: On 25 Oct 2011, at 00:56, Rob Weir wrote: Hi Simon, do you have any other ideas for cooperation, preferably ones that are not redundant? While I am amused that your first words after hopefully will attract fewer trolls themselves include a mean-spirited troll, I'm sorry you think a collaborative security mailing list with shared, collaborative ownership is redundant. We already have a collaborative security mailing list that has 4 LO members on it, as well as several AOOo members, representatives from other vendors, security experts from Linux distros, etc. So we are already there. Creating a new list for the same thing would be redundant. We clearly have very different views of the world. I continue to think such a list holds great opportunity for collaboration since it was working in that role for many months, but it's hard to see how it can now be the securityteam@ list, unfortunately (unless your'e speaking alone, of course). As above, the list exists and LO and AOOo members are already on it, Time to declare success and find additional areas to collaborate. I suggested cooperating on translations via a shard Pootle instance. Hard to see how that would work since it would require the source to be highly similar and that looks unlikely to be the case. I think the value would come from the translation memory aspect. So even if we had different source files, the UI's of the products are nearly identical, and the underlying concepts of the products remain very the same and likely will remain so for the foreseeable future. (it is not like spreadsheets and word processors have changed much in the past decade). So there may be some value in sharing translation memory of basic concepts and repeated patterns that are common to describing both products. It also makes it easier for translators who wish to contribute to both products at once, similar to what ODF Authors has done for documentation. Or maybe code browsing/searching facilities with OpenGrok. Or either of those possible? Hard to see how two very different source trees can have a shared browser. It would be best for Apache to run its own instance. Or maybe work on a collaborative QA site as an alternative user support option? Plausible in the future but a little early to be proposing it - YAGNI applies. A little too early? It looks like someone is already trying this for LO, but they are failing to get enough participation needed to graduate on StackExchange. So it looks like an area ripe for collaboration: http://area51.stackexchange.com/proposals/24564/libreoffice Or maybe a shared template and extensions site? I believe I once proposed such a thing, and was told by both communities that licensing issues would largely prevent it. I certainly proposed such a thing, and licensing was not an issue in my proposal. Maybe we should revisit, if you think this is a possible area for collaboration? Any other ideas? Delighted to hear you are now such a fan of co-operation though, Rob. I'll be sure to support any viable proposals you present to both communities. I'll continue to float the ideas by you first, Simon. I'd like you to be able to find some success in your goal to lead these projects to find areas to collaborate. -Rob S. -- Ian Ofqual Accredited IT Qualifications (The Schools ITQ) www.theINGOTs.org +44 (0)1827 305940 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth, Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and Wales.
Re: working on a OpenOffice roadmap
On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) S.
Re: Neutral / shared security list ...
Hi Dave, On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote: Not sure how much this is like your original proposal, but maybe the following is acceptable: (1) The securityt...@openoffice.org continues. As mentioned, not happy about an openoffice.org domain; LibreOffice is not openoffice.org, that is not really neutral. (2) The membership of securityteam ML should be open to individuals and forks/downstreams as selected by the ML membership. Fine - though I'd characterise AOOoI as a fork too if this is used as a loaded term. (3) The securityteam ML moderators are selected from the individual membership of the securityteam ML. Fine. (4) The securityteam ML is nominally under the governance of the ASF - either the AOOo podling PPMC, the Apache Security Team, or even the Foundation Board. I think the AOOo podling PPMC should be acceptable, but we can ask the other entities if that is not is not neutral enough. We may ask the TDF to neutrally host some component and it would make sense for each entity to trust the neutrality of the other entity (Rob's real point). Totally un-acceptable, I'm sorry. The Apache project is by no means neutral. The decision to take on AOOoI and the actions of that project are its responsibility. (5) No iCLAs are required. Of course. (6) A set point for membership is determined when at least AOOo, TDF, and any other OOo fork/downstreams who might appear within a reasonably short time period. The deadline would need to be agreed. I would not have a process - we should just include everyone competent who has a reason to be there; that is normally fairly easy to work out relationally; if not the moderators can thrash it out. If it is a multi-vendor, neutral list I don't envisage controversy there. (7) The securityt...@openoffice.org ML will be hosted by the ASF when the MX for openoffice.org is moved to ASF Infrastructure. Hosting by the ASF is by no means ideal, but perhaps compromise here is reasonable. I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o? We built our own new infrastructure for that. So - I am still fairly firmly convinced that this security thing is not going to pan out. Here is my potted history of it: * initial request for continuing the traditional, friendly cross membership of security lists + turned down at AOOoI: Apache Committers only * requests for a neutral list with neutral name turn into: + ASF openoffice.org -are-neutral-; proof by assertion * more compromise proposals arrive + these have high level ASF governance hard-wired This doesn't make it seem like we're going anywhere productive, which is fine - there is no huge problem with having two separate public facing security lists that can have cross membership on them. Since there is no TDF affiliated admin for the currently suggested, Apache controlled, 'neutral' security list, extracting a membership list of that would be appreciated - so we can mirror it in a suitable other place. I'm also minded to consider the relative grief of endlessly re-hashing this issue vs. actually fixing whatever bugs are found. Can we not just move on. All the best, Michael. -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
Hi Rob, On Sat, 2011-10-22 at 22:59 -0400, Rob Weir wrote: I just noticed that the LO help website is heavily linked into the OOo wiki. Thanks for the report :-) http://www.google.com/search?q=site%3Ahelp.libreoffice.org+link%3Awiki.services.openoffice.org About 732,000 results Looks impressive; then again this is because we have multiple versions of the help on-line, translated into multiple languages. I append the list of 24 dangling links we havn't noticed and migrated at the end, generated with a tool closer to home: cd helpcontent2 git grep 'services.openoffice.org' | sed 's/.*http:\/\///' | sed s/\.*// | sed 's/.*//' | sort | uniq | wc -l 24 Though perhaps I screwed that up; we should certainly update those twenty four links to have a consistent set of help based on our infrastructure. Again, we're very pleased to help TDF/LO in this area, by ensuring the long-term availability of these pages, as they are migrated over to Apache control and management. Thank you. But I have not heard anyone complaining that the wiki is not sufficiently neutral because it is going to Apache I'm sorry you missed that: the wiki is not sufficiently neutral because it is going to Apache. Of course, in the abstract I applaud the best of brothers sentiment, and it plays very well - the reality presented daily doesn't match this. Obviously I should write more on that clearly since it seems to be invisible to some. All the very best, Michael. extensions.services.openoffice.org extensions.services.openoffice.org/ extensions.services.openoffice.org/dictionary extensions.services.openoffice.org/project/pdfimport wiki.services.openoffice.org/mwiki/index.php?title=Calc/Features/JIS_and_ASC_functions wiki.services.openoffice.org/wiki/Accessibility wiki.services.openoffice.org/wiki/Database wiki.services.openoffice.org/wiki/Documentation/BASIC_Guide wiki.services.openoffice.org/wiki/Documentation/How_Tos/Adding_More_Languages wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_CONVERT_ADD_function wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_LINEST_function wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_WEIBULL_function wiki.services.openoffice.org/wiki/Documentation/How_Tos/Calc:_ZTEST_function wiki.services.openoffice.org/wiki/Documentation/How_Tos/Conditional_Counting_and_Summation wiki.services.openoffice.org/wiki/Documentation/How_Tos/Defining_a_Data_Range wiki.services.openoffice.org/wiki/Documentation/How_Tos/Regular_Expressions_in_Calc wiki.services.openoffice.org/wiki/Documentation/How_Tos/Regular_Expressions_in_Writer wiki.services.openoffice.org/wiki/Documentation/How_Tos/Setting_up_a_Style_for_Numbering_Lines_in_Code_Listings wiki.services.openoffice.org/wiki/Documentation/How_Tos/Spellchecking_in_More_Languages wiki.services.openoffice.org/wiki/Documentation/OOoAuthors_User_Manual/Migration_Guide wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures wiki.services.openoffice.org/wiki/Macros_in_Database_Documents wiki.services.openoffice.org/wiki/MSA-Base_Faq wiki.services.openoffice.org/wiki/Non_Breaking_Spaces_Before_Punctuation_In_French_(espaces_ins%C3%A9cables) -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
On 25 Oct 2011, at 02:55, Dave Fisher wrote: I tried to be ambiguous with fork/downstream. There is a relationship, and whether it originates as a fork, upstream, downstream, or upside-down relationship the relationship *IS* a *PEER* relationship. (auf Deutsch, ist klar?) :-) I just want to make clear that, listening to both sides of this issue, it is very easy (on both sides) for people to use language that is unintentionally inflammatory and then treat the other party as at fault when they react to it... So, this could be a true point of co-operation, there was a thread about this and it did have some good ideas. Extensions and especially templates are likely to compatible. This isn't a given. By the time AOOo makes an end-user release, there are likely to be substantial differences and a shared add-ons repo would probably need to distinguish strongly between the two projects. Still worth considering though, I agree. Given the licensing issues with Apache hosting it does make more sense for the TDF to host these. TDF won't host closed extensions though, so the combined (TDF + Apache) repo would still hold less than the current repo. No technical reasons why the openoffice.org DNS for these couldn't point to servers hosted by the TDF. Maybe this is a compromise solution for the security list too? make it coordinat...@security.openoffice.org and point the MX at a TDF server? S.
Re: working on a OpenOffice roadmap
On 25 October 2011 11:28, Simon Phipps si...@webmink.com wrote: On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) I didn't interpret it like that. From a practical point of view AL2 can be used and converted downstream, it's not possible for LGPL to be used AL2 so the only way code can be shared is via AL2. If some developers feel strongly about that, they can contribute only to the LGPL licensed pool. If some are not so concerned they can contribute to AL2 because it will work with both. Ok that is effectively a commit to Apache, but since all Apache commits are potentially reusable in a LGPL project, why is that seen as such a one way traffic thing? Really Pedro is simply saying encourage people that don't feel too strongly about it to us the AL2 license. If that is a problem I doubt there is much point in taking the discussion further. -- Ian Ofqual Accredited IT Qualifications (The Schools ITQ) www.theINGOTs.org +44 (0)1827 305940 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth, Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and Wales.
Re: working on a OpenOffice roadmap
Hi Simon; I try to give people the benefit of the doubt. Ethos is something that goes well beyond a license, and once you read the iCLA its not an imposible thing to ask ( you signed it), and its surely not what SUN had in place. That said, and its something I have argued about publicly with Rob, while the iCLA is a requisite to become a committer, it is not a requisite to contribute. Furthermore, once we start doing releases (and trust me, we will get there) they are likely to start including AL2 code anyways. Am I naive? Yes. I was never part of the previous OOo community led by SUN so perhaps not having that trauma helps me see things a lot simpler than they are. There is an evident lack of confidence in us over there and as I said before, in private, we cant start activities like a shared security list if there is no confidence first. I stand to the principle that we are neutral, and that every vendor or community member is free to join or leave whenever they want Pedro. --- On Tue, 10/25/11, Simon Phipps si...@webmink.com wrote: On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) S.
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
Hi Dennis, *, On Tue, Oct 25, 2011 at 2:04 AM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I read somewhere, and I don't know where, that ASF did not want torrents to be used. I'm guessing that the issue is related to ensuring the integrity and authenticity of packaged releases. That doesn't make sense - integrity is assured by bittorrent by providing sha1sums for each chunk. And authenticity can be assured just like it is with regular releases - just include a corresponding signature file within the torrent. I may have dreamed it or I am mixing this up with something else. If those were the only reasons, then they were made-up arguments. But bittorrent only makes sense for larger files anyway. ciao Christian
Re: working on a OpenOffice roadmap
On Tue, Oct 25, 2011 at 6:28 AM, Simon Phipps si...@webmink.com wrote: On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffuni p...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's LO had no choice but to take LGPL. So more necessity/inertia than ethos. And -- according to Michael -- when it thought that MPL might be more acceptable TDF was quick to add MPL for new code contributions. This shows an ethos of flexibility. This is a good thing. One option TDF/LO did not have at the time was to take the core OOo code under ALv2, an option they now have via the Oracle SGA's to Apache. It might make sense to evaluate the new possibilities, including possibilities for collaboration, enabled by this change, a change that was not even remotely foreseeable, and therefore was not considered, when TDF/LO first started. disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound This is obviously a touchy subject for you, Simon. But please read what Pedro wrote. He said: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. This is not asking for LO members to surrender or fall on their swords. It is suggesting that information be made available to LO developers who might wish to voluntarily make their code available under ALv2 as well as the existing LGPL/MPL. Please correct me if I'm wrong, but I had the impression that nothing at TDF/LO that would prevent someone from doing this? so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) Signing the iCLA is not required for most patches. Regards, -Rob S.
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
On Mon, Oct 24, 2011 at 2:08 AM, Marcus (OOo) marcus.m...@wtnet.de wrote: snip The problem is that the ASF do not want to host and provide services of special software for single projects. I can understand this as even the ASF infra is a team of volunteers and their time is limited as it is for all others. I think this is a little open to misinterpretation. Hopefully a Mentor will jump in but (until they do) I'll do my best to explain a little bit more about the way infrastructure works here at Apache... The infrastructure team at Apache is an independent, volunteer-led self-organising community of experts. Apache delegates infrastructure to this community, and provides resources to sustain their work[1]. When asking infrastructure for help, it's essential to remember this and engage with them as peers with special expertise. Anyone arriving with a solution or a request for a new service must expect to be challenged to defend and refine their choice of solution. To move back to the particular, this is a migration issue. A valuable service is about to be closed and needs to be migrated. Whether this is right long term solution is open to debate but accepting a service for a temporary period doesn't raise the issues that committing to provide a similar service for all projects forever would. Please explain the problem to infrastructure and ask for their help to find a solution. Robert [1] The team has a budget and some flexibility to bring additional resources - included hired help - when needed. Apache has adequate financial resources but is culturally resistant to committing to additional spending without good reason. Apache values independence. Dependency on funding risks that independence.
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
The issue with bittorrent is that it has become nearly illegal in some countries. I heard about someone being visited by the police in Italy. I do think it is an option but alternate means must be provided. Pedro.
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
On Tue, 25 Oct 2011 05:04:08 -0700 (PDT) Pedro Giffuni p...@apache.org wrote: The issue with bittorrent is that it has become nearly illegal in some countries. I heard about someone being visited by the police in Italy. I do think it is an option but alternate means must be provided. On the Forum we frequently advise users who have a problem downloading to use a torrent; this seems to cure recalcitrant download problems, such as slow (modem) or noisy connections. -- Rory O'Farrell ofarr...@iol.ie
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier cl...@openoffice.org wrote: Hi Dennis, *, On Tue, Oct 25, 2011 at 2:04 AM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I read somewhere, and I don't know where, that ASF did not want torrents to be used. I'm guessing that the issue is related to ensuring the integrity and authenticity of packaged releases. That doesn't make sense - integrity is assured by bittorrent by providing sha1sums for each chunk. And authenticity can be assured just like it is with regular releases - just include a corresponding signature file within the torrent. Better to download the signature over HTTPS but yes, I see no reason why this approach could not be made to work I may have dreamed it or I am mixing this up with something else. If those were the only reasons, then they were made-up arguments. When engaging with Infrastructure, expect to be challenged and to have to defend any proposal. These lists are open, so expect a range of cluefulness from contributors. The best way to impress the core infrastructure team is for plenty of clueful people from a project to show up and defend the proposal with well research arguments. Giving up and going away is the surest way to lose the argument... Robert
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
On Tue, Oct 25, 2011 at 1:04 AM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I read somewhere, and I don't know where, that ASF did not want torrents to be used. The meaning and force of this statement is hard to judge without a full context Apache has surprisingly and confusingly little policy, and most of that should be written down Apache encourages wide participation on open lists. Conventionally, opinions expressed on lists are just personal opinions - unless backed by evidence or clear marking[1]. So this is just my personal opinion ;-) Robert [1] wearing a hat :-) http://www.apache.org/foundation/how-it-works.html
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
Il 25/10/2011 14.04, Pedro Giffuni ha scritto: The issue with bittorrent is that it has become nearly illegal in some countries. I heard about someone being visited by the police in Italy. There is always somebody visited by our Polizia Postale. ;-) Indeed, the software is legal, of course. It's the way a user utilizes it that may be illegal. BTW, I've seeded LibreOffice for a couple of months and Torrent is a useful tool that helps to distribute among users the bandwidth needed for large downloads. REgards, Gianluca -- Lettura gratuita o acquisto di libri e racconti di fantascienza, fantasy, horror, noir, narrativa fantastica e tradizionale: http://www.letturefantastiche.com/
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
Hi Robert, *, On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin robertburrelldon...@gmail.com wrote: On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier cl...@openoffice.org wrote: [...] That doesn't make sense - integrity is assured by bittorrent by providing sha1sums for each chunk. And authenticity can be assured just like it is with regular releases - just include a corresponding signature file within the torrent. Better to download the signature over HTTPS but yes, I see no reason why this approach could not be made to work With signature I meant a real signature (gpg signature), not a md5sum or sha1sum file. When it is a cryptographic signature, it doesn't matter how you download it, as it cannot be faked. (of course the user has to get the proper key, but that's a different issue) I may have dreamed it or I am mixing this up with something else. If those were the only reasons, then they were made-up arguments. When engaging with Infrastructure, expect to be challenged and to have to defend any proposal. These lists are open, so expect a range of cluefulness from contributors. The best way to impress the core infrastructure team is for plenty of clueful people from a project to show up and defend the proposal with well research arguments. Giving up and going away is the surest way to lose the argument... With OOo the tracker network[1] was run independently anyway and not hosted on the Oracle or OSUOSL hosted infrastructure. The main tracker was Mike's at utwente, and that mirror also was the initial/main seed for all the releases. There were other trackers linked together via a tracker-hub (backup tracker as well as the hub were provided by Harold). So it is not a matter of infrastructure, but a matter of policy. There's no need for the mechanism to change in my opinion. (torrents are generated automatically as soon as they hit the mirror). So if apache wants to setup their own bt network, they need one capable machine (in terms of bandwidth) server to be the initial seed, and one with almost no resources (can be the same machine of course) to act as tracker. [1] The trackers are *linked*, not separate, all trackers know about every peer, so there is no swarm fragmentation, and you got the fallback in case on of the trackers is down (TDF only uses one single tracker, but webseeds (traditional http/ftp URLs) are included, so even when the tracker is down, the clients can still use regular mirrors and DHT.) ciao Christian
Draft mailing list notification post
On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: working on a OpenOffice roadmap
Thank you Pedro for the very well thought out and politely presented explanation of your point. It's very helpful to have this kind of honest and detailed discussion, especially when tempers run high, and doubly so when there's such a clear (and unfortunate) distrust between AOOo community members and folks working on TDF/LO. Personally, I agree: the point is that if TDF/LO also encourages / documents as an additional optional step / even simply allows in some obvious public way for people submitting patches that could apply to AOOo under both licenses, that would be a big win for the ecosystem. AOOo code will already be fully useable by LO, so I find it hard to see what the harm is in allowing TDF/LO contributors to know about the option of dual licensing specific patches under the AL. This is certainly not something aimed at hurting LO, and certainly doesn't apply to new or changed work in LO. But it would be nice to discuss the possibility of having code that both projects can use without getting everyone's hackles up. Especially since the alternative seems to be that Simon (I think) is saying he'd effectively rather see everyone contributing code exclusively to one project, and explicitly not allowing it to be contributed into the other. This is exactly why I believe in the Apache license. I believe that *people* should be free. Users of our Apache software should be free to use it as they see fit. If they contribute changes back, that's great - but what's important for open source is that humans now have access to a wealth of powerful software for free that they can use openly, easily, and for their own purposes, without undue restrictions. - Shane P.S. and really, while the iCLA is a required step to become a committer at Apache, it really shouldn't be such a large club to hit us over the head repeatedly. It's not needed for most patches like I thought we were discussing here. On 10/25/2011 7:25 AM, Pedro Giffuni wrote: Hi Simon; I try to give people the benefit of the doubt. Ethos is something that goes well beyond a license, and once you read the iCLA its not an imposible thing to ask ( you signed it), and its surely not what SUN had in place. That said, and its something I have argued about publicly with Rob, while the iCLA is a requisite to become a committer, it is not a requisite to contribute. Furthermore, once we start doing releases (and trust me, we will get there) they are likely to start including AL2 code anyways. Am I naive? Yes. I was never part of the previous OOo community led by SUN so perhaps not having that trauma helps me see things a lot simpler than they are. There is an evident lack of confidence in us over there and as I said before, in private, we cant start activities like a shared security list if there is no confidence first. I stand to the principle that we are neutral, and that every vendor or community member is free to join or leave whenever they want Pedro. --- On Tue, 10/25/11, Simon Phippssi...@webmink.com wrote: On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffunip...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) S.
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 6:47 AM, Michael Meeks michael.me...@suse.com wrote: Hi Dave, On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote: Not sure how much this is like your original proposal, but maybe the following is acceptable: (1) The securityt...@openoffice.org continues. As mentioned, not happy about an openoffice.org domain; LibreOffice is not openoffice.org, that is not really neutral. I think part of the confusion here is that some of us are talking about trust and you are talking about neutrality and many of us are conflating the two. For example: I think we would agree that the United Nations building in NYC is a neutral venue. But I wouldn't want to accidentally leave my wallet in the rest rooms there. Neutrality is not the same as trustworthy. And even with trust we're not really saying what we think that means. Are we talking about verified identities, a web of trust that can be confirmed via digital signatures? Or trust in terms of confidently belief that we're not going to stab each other in the back? Obviously the later form of trust is independent of the neutrality of the venue. It is trust of individuals and their actions, not trust of neutral venues. (Many countries have been stabbed in the back at the UN) I'd recommend that we seek trust, and do so via transparency. The subscriber list of securityteam should be made public. Let's demonstrate that there is no boogeyman hiding in the shadows. Let's show that the members are well-known members of the AOOo and LO communities, as well as security experts from other vendors and Linux distros. We have a common goal - improving security for our users. Neutrality then comes when all parties are represented and able freely to express their views, like at the UN, even though it is in the USA. The rest is just community practice, and we should have enough respect for the community in that list -- once we understand better who is on that list -- to establish their own rules and norms of behavior. I don't think we want to dictate from above how the list operates, something we have hesitated to do for any other list in this project. In the end, trust and neutrality are complex social phenomena. If you try to reduce this complexity to an IP address (or a street address) then you will fail every time. -Rob
FAQ on patch contributions
Something we talked about a while ago, but never did. An FAQ on how to submit a patch to the project. Obviously, we have many project members who have figured this out. But there may be others who now or in the future would benefit from a simple write up. I was thinking of taking as a base, this page from Apache HTTP, How to Contribute Patches to Apache: http://httpd.apache.org/dev/patches.html A few questions: 1) If someone uses the git bridge to the repository, does git diff produce a patch in the same format as svn diff? In other words, are they compatible? 2) Do we have a strong preference for whether patches are submitted to the ooo-dev list or via Bugzilla? Or are both acceptable? 3) It is clear that someone submitting a patch to BZ does so under ALv2. It is not so clear for patches on ooo-dev, unless they state so explicitly, right? 4) Any other things we should mention? -Rob
Fwd: odt2braille on the Mac
Hi all, My name is Bert Frees. I'm the developer of odt2braille, the Braille plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time ago I raised an issue on the old developer list (see e-mail below), but I got no reaction. I'm bringing it up again on this list in the hope somebody here can help me out. I'm not a Mac expert at all, but I get a lot of requests for Mac support. A lot of people would be very happy if this got solved. Thanks in advance, Bert Frees -- Bert Frees Katholieke Universiteit Leuven Dept. Elektrotechniek - ESAT - SCD Onderzoeksgroep Documentarchitecturen Kasteelpark Arenberg 10 bus 2442 B-3001 Heverlee-Leuven België Original Message Subject:odt2braille on the Mac Date: Mon, 16 May 2011 11:55:37 +0200 From: Bert Frees bertfr...@gmail.com To: d...@openoffice.org Hello, I'm new to this mailing list. My name is Bert Frees. I am the developer of odt2braille, the OpenOffice.org plugin for printing and exporting Braille. The website is http://odt2braille.sourceforge.net/index.html. I'm trying to make this plugin available on the Mac, but I've been puzzling on a bug for some time now and I'm really stuck. I hope there is somebody on this list who is familiar with OOo on the Mac, and who knows what might be the problem. I'm using javax.print.PrintServiceLookup http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html to look up the default printer device. It works fine on Windows, but on Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related because the code runs fine when it is not embedded in an OOo extension. This is the code: javax.print.PrintService[] printers = javax.print.PrintServiceLookup.lookupDefaultPrintService(); Thanks, Bert
Re: [Proposal] Shutting down legacy OOo mailing lists
On Mon, Oct 17, 2011 at 11:35 AM, Dave Fisher dave2w...@comcast.net wrote: snip In the three to four weeks that it will take to get to step (7) AOOo and Apache Infra should have control over the openoffice.org MX records. An easier alternative would be to decide what MX services we want to continue on openoffice.org and do the MX migration at this point. Even if it will bounce and/or forward email. Can we talk through that option a little more? Take a legacy list like us...@openoffice.org. If we try to handle this via the MX record, then that applies to the entire domain, all mailing lists as well as forwarding email account at openoffice.org. Is that correct? In other words, the MX record is at the level of openoffice.org, not at the level of us...@openoffice.org. So in the MX approach, is there any way to do a more gradual migration, or do we need to do it all at once, including the forwarding accounts? I know for web traffic, there is some flexibility at the subdomain level. But these are all the same domain, just differing by account. Suppose there is some way to get over that. Then we could create identically named (or predictably mappable) equivalent lists using ezmlm. But since we're not able to automatically sign users up, the traffic forwarding would all end up in the moderator queues. Of course, these could be passed through. We could even white list the addresses. (or black list in the case of spammers) But it doesn't get people signed up on the ezmlm list. Where this might be useful is for cases where a legacy email list address is on a third party page, or maybe even in our own legacy list archives. Someone does a Google search and sees something that says, If you run into this problem, please send an email to f...@openoffice.org. Some degree of forwarding for these emails would ensure such users don't get lost. But we can't simple forward *.openoffice.org to a ooo-legacy-bucket.i.a.o email list, since many of the *.openoffice.org are personal forwarding addresses and contain personal content. And some lists are private lists. So any forwarding scheme would need to be very sensitive to these details and would likely need an actual enumeration of the 300 or so lists and the unknown number of official contact emails (webmaster, etc.) that we want to forward. Do you see that path in a similar way? Or do you see a simpler way of doing that? -Rob
Re: FAQ on patch contributions
--- On Tue, 10/25/11, Rob Weir robw...@apache.org wrote: Something we talked about a while ago, but never did. An FAQ on how to submit a patch to the project. Obviously, we have many project members who have figured this out. But there may be others who now or in the future would benefit from a simple write up. I was thinking of taking as a base, this page from Apache HTTP, How to Contribute Patches to Apache: http://httpd.apache.org/dev/patches.html A few questions: 1) If someone uses the git bridge to the repository, does git diff produce a patch in the same format as svn diff? In other words, are they compatible? 2) Do we have a strong preference for whether patches are submitted to the ooo-dev list or via Bugzilla? Or are both acceptable? Both are acceptable and are covered by clause 5 of the AL2. I personally prefer bugzilla because the list sometimes filters patches. 3) It is clear that someone submitting a patch to BZ does so under ALv2. It is not so clear for patches on ooo-dev, unless they state so explicitly, right? FWIW, bugzilla reminds ppl of the AL2 when you create an account. If you want to add a similar notice when people subscribe to the list thats OK, but I dont want the extra license noise in the lists to specify what should be obvious. 4) Any other things we should mention? To use the [patch] or [code] tag when sending patches. Pedro.
Re: Neutral / shared security list ...
Am 23.10.2011 04:37, schrieb Rob Weir: For example, AOOo currently does not have a Pootle server. Is that an area where TDF this time can help AOOo? for the records, the old pootle server is lying under my desk, I would be glad to see that server online again, Martin
Re: odt2braille on the Mac
hi, i think it might be better to usee the uno api for the printing services. http://wiki.services.openoffice.org/wiki/API/Samples/Java/Office/DocumentHandling#DocumentPrinter On 10/25/11, Bert Frees bertfr...@gmail.com wrote: Hi all, My name is Bert Frees. I'm the developer of odt2braille, the Braille plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time ago I raised an issue on the old developer list (see e-mail below), but I got no reaction. I'm bringing it up again on this list in the hope somebody here can help me out. I'm not a Mac expert at all, but I get a lot of requests for Mac support. A lot of people would be very happy if this got solved. Thanks in advance, Bert Frees -- Bert Frees Katholieke Universiteit Leuven Dept. Elektrotechniek - ESAT - SCD Onderzoeksgroep Documentarchitecturen Kasteelpark Arenberg 10 bus 2442 B-3001 Heverlee-Leuven België Original Message Subject: odt2braille on the Mac Date: Mon, 16 May 2011 11:55:37 +0200 From: Bert Frees bertfr...@gmail.com To: d...@openoffice.org Hello, I'm new to this mailing list. My name is Bert Frees. I am the developer of odt2braille, the OpenOffice.org plugin for printing and exporting Braille. The website is http://odt2braille.sourceforge.net/index.html. I'm trying to make this plugin available on the Mac, but I've been puzzling on a bug for some time now and I'm really stuck. I hope there is somebody on this list who is familiar with OOo on the Mac, and who knows what might be the problem. I'm using javax.print.PrintServiceLookup http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html to look up the default printer device. It works fine on Windows, but on Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related because the code runs fine when it is not embedded in an OOo extension. This is the code: javax.print.PrintService[] printers = javax.print.PrintServiceLookup.lookupDefaultPrintService(); Thanks, Bert -- Alexandro Colorado OpenOffice.org Español http://es.openoffice.org
Re: Neutral / shared security list ...
On Oct 25, 2011, at 7:36 AM, Martin Hollmichel wrote: Am 23.10.2011 04:37, schrieb Rob Weir: For example, AOOo currently does not have a Pootle server. Is that an area where TDF this time can help AOOo? for the records, the old pootle server is lying under my desk, I would be glad to see that server online again, Try contacting Andrew Rist, he may have a backup. Regards, Dave
Re: FAQ on patch contributions
Am 10/25/2011 04:31 PM, schrieb Pedro Giffuni: --- On Tue, 10/25/11, Rob Weirrobw...@apache.org wrote: Something we talked about a while ago, but never did. An FAQ on how to submit a patch to the project. Obviously, we have many project members who have figured this out. But there may be others who now or in the future would benefit from a simple write up. I was thinking of taking as a base, this page from Apache HTTP, How to Contribute Patches to Apache: http://httpd.apache.org/dev/patches.html A few questions: 1) If someone uses the git bridge to the repository, does git diff produce a patch in the same format as svn diff? In other words, are they compatible? 2) Do we have a strong preference for whether patches are submitted to the ooo-dev list or via Bugzilla? Or are both acceptable? Both are acceptable and are covered by clause 5 of the AL2. I personally prefer bugzilla because the list sometimes filters patches. +1 IMHO BZ seems to be the more logical part to host patches. Even when knowing the famous sentence If it doesn't happen on the list, ;-) When the Dev would write a short mail to the list with a link to the BZ issue, it would be perfect. 3) It is clear that someone submitting a patch to BZ does so under ALv2. It is not so clear for patches on ooo-dev, unless they state so explicitly, right? FWIW, bugzilla reminds ppl of the AL2 when you create an account. If you want to add a similar notice when people subscribe to the list thats OK, but I dont want the extra license noise in the lists to specify what should be obvious. 4) Any other things we should mention? To use the [patch] or [code] tag when sending patches. Yes, would be helpful do differentiate right in the subject of mails. Marcus
Re: FAQ on patch contributions
Excellent stuff, and definitely needed. On 10/25/2011 10:44 AM, Marcus (OOo) wrote: Am 10/25/2011 04:31 PM, schrieb Pedro Giffuni: --- On Tue, 10/25/11, Rob Weirrobw...@apache.org wrote: ...snip... 2) Do we have a strong preference for whether patches are submitted to the ooo-dev list or via Bugzilla? Or are both acceptable? Both are acceptable and are covered by clause 5 of the AL2. I personally prefer bugzilla because the list sometimes filters patches. +1 IMHO BZ seems to be the more logical part to host patches. Even when knowing the famous sentence If it doesn't happen on the list, ;-) When the Dev would write a short mail to the list with a link to the BZ issue, it would be perfect. +1 for encouraging Bugzilla patches, since once the project is comfortable with the BZ categories, etc. it's easier to track items. See Also: ooo-iss...@incubator.apache.org, which is a publicly archived mailing list that all BZ status changes are mirrored to - very helpful if folks want to track bugs. Some projects have that stuff come to the dev@ list, but here it's a separate issues@ list. Archives are at both: http://mail-archives.apache.org/mod_mbox/incubator-ooo-issues/ http://ooo.markmail.org/search/bugzilla+list:org%2Eapache%2Eincubator%2Eooo-issues - Shane
Re: Neutral / shared security list ...
Hi all, If both parties (ASF, TDF) agree, I could imagine that team openoffice is willing to provide funds for an independent location, but at the same time I'm wondering whether such neutral zone is wanted and makes sense ? What I really don't like to see is a third location for OpenOffice.org gets established, that would not be the right sign, Martin Am 25.10.2011 13:03, schrieb Simon Phipps: On 25 Oct 2011, at 02:55, Dave Fisher wrote: I tried to be ambiguous with fork/downstream. There is a relationship, and whether it originates as a fork, upstream, downstream, or upside-down relationship the relationship *IS* a *PEER* relationship. (auf Deutsch, ist klar?) :-) I just want to make clear that, listening to both sides of this issue, it is very easy (on both sides) for people to use language that is unintentionally inflammatory and then treat the other party as at fault when they react to it... So, this could be a true point of co-operation, there was a thread about this and it did have some good ideas. Extensions and especially templates are likely to compatible. This isn't a given. By the time AOOo makes an end-user release, there are likely to be substantial differences and a shared add-ons repo would probably need to distinguish strongly between the two projects. Still worth considering though, I agree. Given the licensing issues with Apache hosting it does make more sense for the TDF to host these. TDF won't host closed extensions though, so the combined (TDF + Apache) repo would still hold less than the current repo. No technical reasons why the openoffice.org DNS for these couldn't point to servers hosted by the TDF. Maybe this is a compromise solution for the security list too? make it coordinat...@security.openoffice.org and point the MX at a TDF server? S.
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier cl...@openoffice.org wrote: Hi Robert, *, On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin robertburrelldon...@gmail.com wrote: On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier cl...@openoffice.org wrote: [...] That doesn't make sense - integrity is assured by bittorrent by providing sha1sums for each chunk. And authenticity can be assured just like it is with regular releases - just include a corresponding signature file within the torrent. Better to download the signature over HTTPS but yes, I see no reason why this approach could not be made to work With signature I meant a real signature (gpg signature), not a md5sum or sha1sum file. When it is a cryptographic signature, it doesn't matter how you download it, as it cannot be faked. (of course the user has to get the proper key, but that's a different issue) FWIW it's a defense in depth measure[1] I may have dreamed it or I am mixing this up with something else. If those were the only reasons, then they were made-up arguments. When engaging with Infrastructure, expect to be challenged and to have to defend any proposal. These lists are open, so expect a range of cluefulness from contributors. The best way to impress the core infrastructure team is for plenty of clueful people from a project to show up and defend the proposal with well research arguments. Giving up and going away is the surest way to lose the argument... With OOo the tracker network[1] was run independently anyway and not hosted on the Oracle or OSUOSL hosted infrastructure. The main tracker was Mike's at utwente, and that mirror also was the initial/main seed for all the releases. There were other trackers linked together via a tracker-hub (backup tracker as well as the hub were provided by Harold). So it is not a matter of infrastructure, but a matter of policy. Where's the URL for this policy? Robert [1] Consider an attacker with some ability to fabricate convincing signatures. Downloading the signature from a trusted server means that such an attacker would need to replace an existing signature on secure hardware without detection. The small increase in traffic is a small price to pay for this additional defense in depth.
Re: Draft mailing list notification post
is migrate the many legacy - is migrating the many legacy on to Apache servers - onto Apache servers Aside from that, it looks good to me, though I wonder if the opening paragraph sounds a little Nigerian. Don
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
Am 10/25/2011 02:02 PM, schrieb Robert Burrell Donkin: On Mon, Oct 24, 2011 at 2:08 AM, Marcus (OOo)marcus.m...@wtnet.de wrote: snip The problem is that the ASF do not want to host and provide services of special software for single projects. I can understand this as even the ASF infra is a team of volunteers and their time is limited as it is for all others. I think this is a little open to misinterpretation. Hopefully a Mentor will jump in but (until they do) I'll do my best to explain a little bit more about the way infrastructure works here at Apache... The infrastructure team at Apache is an independent, volunteer-led self-organising community of experts. Apache delegates infrastructure to this community, and provides resources to sustain their work[1]. When asking infrastructure for help, it's essential to remember this and engage with them as peers with special expertise. Anyone arriving with a solution or a request for a new service must expect to be challenged to defend and refine their choice of solution. Thanks for the explaination. I thought it would be a kind of just another project. But it's not. To move back to the particular, this is a migration issue. A valuable service is about to be closed and needs to be migrated. Whether this is right long term solution is open to debate but accepting a service for a temporary period doesn't raise the issues that committing to provide a similar service for all projects forever would. Please explain the problem to infrastructure and ask for their help to find a solution. I know a service like MirrorBrain could be a high value of any Apache project that provides file downloads, so it should be helpful for every project. As it is able keep the overview of all possible mirrors that offers Apache aoftware there needs to be only a single instance and not per project. Let's see what to get until Friday. Otherwise he have to start again. Marcus [1] The team has a budget and some flexibility to bring additional resources - included hired help - when needed. Apache has adequate financial resources but is culturally resistant to committing to additional spending without good reason. Apache values independence. Dependency on funding risks that independence.
Re: odt2braille on the Mac
Hi Alexandro, Thanks for your suggestion. Something I didn't mention yet is that I need an interface that can send raw data (a byte stream) to a printer driver. The problem with braille printers is that they're very different from normal ink printers. A braille printer is more like an old dotmatrix or impact printer, and is controlled with special escape sequences and codes that define where a braille dot has to be placed on the paper. Is it possible to send raw data to a printer using this API? Best, Bert On 25/10/2011 16:41, Alexandro Colorado wrote: hi, i think it might be better to usee the uno api for the printing services. http://wiki.services.openoffice.org/wiki/API/Samples/Java/Office/DocumentHandling#DocumentPrinter On 10/25/11, Bert Freesbertfr...@gmail.com wrote: Hi all, My name is Bert Frees. I'm the developer of odt2braille, the Braille plugin for OOo: http://odt2braille.sourceforge.net/index.html. Some time ago I raised an issue on the old developer list (see e-mail below), but I got no reaction. I'm bringing it up again on this list in the hope somebody here can help me out. I'm not a Mac expert at all, but I get a lot of requests for Mac support. A lot of people would be very happy if this got solved. Thanks in advance, Bert Frees -- Bert Frees Katholieke Universiteit Leuven Dept. Elektrotechniek - ESAT - SCD Onderzoeksgroep Documentarchitecturen Kasteelpark Arenberg 10 bus 2442 B-3001 Heverlee-Leuven België Original Message Subject:odt2braille on the Mac Date: Mon, 16 May 2011 11:55:37 +0200 From: Bert Freesbertfr...@gmail.com To: d...@openoffice.org Hello, I'm new to this mailing list. My name is Bert Frees. I am the developer of odt2braille, the OpenOffice.org plugin for printing and exporting Braille. The website is http://odt2braille.sourceforge.net/index.html. I'm trying to make this plugin available on the Mac, but I've been puzzling on a bug for some time now and I'm really stuck. I hope there is somebody on this list who is familiar with OOo on the Mac, and who knows what might be the problem. I'm using javax.print.PrintServiceLookup http://download.oracle.com/javase/1.4.2/docs/api/javax/print/PrintServiceLookup.html to look up the default printer device. It works fine on Windows, but on Mac OS it causes OOo to crash. Also, I'm sure the problem is OOo-related because the code runs fine when it is not embedded in an OOo extension. This is the code: javax.print.PrintService[] printers = javax.print.PrintServiceLookup.lookupDefaultPrintService(); Thanks, Bert
Re: Areas for cooperation between AOOO and LO [was: Cooperation withRe: Neutral / shared security list ...]
On Oct 25, 2011, at 2:38 AM, Ian Lynch wrote: Seems to me that while the focus is political point scoring, aggression, sarcasm and such the chances of getting cooperation are zero. +1. We will need to crawl to co-operation before we walk and run. Regards, Dave On 25 October 2011 00:32, Rob Weir robw...@apache.org wrote: On Mon, Oct 24, 2011 at 7:11 PM, Simon Phipps si...@webmink.com wrote: On 25 Oct 2011, at 00:56, Rob Weir wrote: Hi Simon, do you have any other ideas for cooperation, preferably ones that are not redundant? While I am amused that your first words after hopefully will attract fewer trolls themselves include a mean-spirited troll, I'm sorry you think a collaborative security mailing list with shared, collaborative ownership is redundant. We already have a collaborative security mailing list that has 4 LO members on it, as well as several AOOo members, representatives from other vendors, security experts from Linux distros, etc. So we are already there. Creating a new list for the same thing would be redundant. We clearly have very different views of the world. I continue to think such a list holds great opportunity for collaboration since it was working in that role for many months, but it's hard to see how it can now be the securityteam@ list, unfortunately (unless your'e speaking alone, of course). As above, the list exists and LO and AOOo members are already on it, Time to declare success and find additional areas to collaborate. I suggested cooperating on translations via a shard Pootle instance. Hard to see how that would work since it would require the source to be highly similar and that looks unlikely to be the case. I think the value would come from the translation memory aspect. So even if we had different source files, the UI's of the products are nearly identical, and the underlying concepts of the products remain very the same and likely will remain so for the foreseeable future. (it is not like spreadsheets and word processors have changed much in the past decade). So there may be some value in sharing translation memory of basic concepts and repeated patterns that are common to describing both products. It also makes it easier for translators who wish to contribute to both products at once, similar to what ODF Authors has done for documentation. Or maybe code browsing/searching facilities with OpenGrok. Or either of those possible? Hard to see how two very different source trees can have a shared browser. It would be best for Apache to run its own instance. Or maybe work on a collaborative QA site as an alternative user support option? Plausible in the future but a little early to be proposing it - YAGNI applies. A little too early? It looks like someone is already trying this for LO, but they are failing to get enough participation needed to graduate on StackExchange. So it looks like an area ripe for collaboration: http://area51.stackexchange.com/proposals/24564/libreoffice Or maybe a shared template and extensions site? I believe I once proposed such a thing, and was told by both communities that licensing issues would largely prevent it. I certainly proposed such a thing, and licensing was not an issue in my proposal. Maybe we should revisit, if you think this is a possible area for collaboration? Any other ideas? Delighted to hear you are now such a fan of co-operation though, Rob. I'll be sure to support any viable proposals you present to both communities. I'll continue to float the ideas by you first, Simon. I'd like you to be able to find some success in your goal to lead these projects to find areas to collaborate. -Rob S. -- Ian Ofqual Accredited IT Qualifications (The Schools ITQ) www.theINGOTs.org +44 (0)1827 305940 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth, Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and Wales.
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 11:05 AM, Martin Hollmichel martin.hollmic...@googlemail.com wrote: Hi all, If both parties (ASF, TDF) agree, I could imagine that team openoffice is willing to provide funds for an independent location, but at the same time I'm wondering whether such neutral zone is wanted and makes sense ? What I really don't like to see is a third location for OpenOffice.org gets established, that would not be the right sign, I'm not sure any of this makes sense. One really needs to suspend reason to understand this debate. For example, Michael is arguing that an Apache-controlled list would not be sufficiently neutral to have security discussions on, despite the fact that it has been used for such purposes, by many, including him, for longer than TDF has been around. Ironically, he is making his argument, and we are having this debate, on an Apache-controlled development list, one in which Michael is freely posting to and participating in. This does not look like a winning argument. In any case, we have four other TDF/LO members on the securityteam list, including several members of the TDF leadership (Steering Committee). So whatever scruples Michael has do not appear to be shared by all TDF/LO members. -Rob Martin Am 25.10.2011 13:03, schrieb Simon Phipps: On 25 Oct 2011, at 02:55, Dave Fisher wrote: I tried to be ambiguous with fork/downstream. There is a relationship, and whether it originates as a fork, upstream, downstream, or upside-down relationship the relationship *IS* a *PEER* relationship. (auf Deutsch, ist klar?) :-) I just want to make clear that, listening to both sides of this issue, it is very easy (on both sides) for people to use language that is unintentionally inflammatory and then treat the other party as at fault when they react to it... So, this could be a true point of co-operation, there was a thread about this and it did have some good ideas. Extensions and especially templates are likely to compatible. This isn't a given. By the time AOOo makes an end-user release, there are likely to be substantial differences and a shared add-ons repo would probably need to distinguish strongly between the two projects. Still worth considering though, I agree. Given the licensing issues with Apache hosting it does make more sense for the TDF to host these. TDF won't host closed extensions though, so the combined (TDF + Apache) repo would still hold less than the current repo. No technical reasons why the openoffice.org DNS for these couldn't point to servers hosted by the TDF. Maybe this is a compromise solution for the security list too? make it coordinat...@security.openoffice.org and point the MX at a TDF server? S.
Re: Neutral / shared security list ...
Hi Michael, On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote: Hi Dave, On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote: Not sure how much this is like your original proposal, but maybe the following is acceptable: (1) The securityt...@openoffice.org continues. As mentioned, not happy about an openoffice.org domain; LibreOffice is not openoffice.org, that is not really neutral. Understood. It is a requirement for a neutral address. On our side it is a desire for the same address (2) The membership of securityteam ML should be open to individuals and forks/downstreams as selected by the ML membership. Fine - though I'd characterise AOOoI as a fork too if this is used as a loaded term. Not meant to be loaded. As in another email exchange with Simon, PEER relationships without regard to perceived historical relationships. (3) The securityteam ML moderators are selected from the individual membership of the securityteam ML. Fine. (4) The securityteam ML is nominally under the governance of the ASF - either the AOOo podling PPMC, the Apache Security Team, or even the Foundation Board. I think the AOOo podling PPMC should be acceptable, but we can ask the other entities if that is not is not neutral enough. We may ask the TDF to neutrally host some component and it would make sense for each entity to trust the neutrality of the other entity (Rob's real point). Totally un-acceptable, I'm sorry. The Apache project is by no means neutral. The decision to take on AOOoI and the actions of that project are its responsibility. By nominally I meant only the minimum required by any responsible host who opens their facilities to the public. However, this is moot (does not matter) if the address is not in a domain that the ASF is responsible. (5) No iCLAs are required. Of course. (6) A set point for membership is determined when at least AOOo, TDF, and any other OOo fork/downstreams who might appear within a reasonably short time period. The deadline would need to be agreed. I would not have a process - we should just include everyone competent who has a reason to be there; that is normally fairly easy to work out relationally; if not the moderators can thrash it out. If it is a multi-vendor, neutral list I don't envisage controversy there. I don't either. My thought was to give individuals / peer projects time to appear. If they are welcomed gladly by the list after the list's establishment then no troubles. (7) The securityt...@openoffice.org ML will be hosted by the ASF when the MX for openoffice.org is moved to ASF Infrastructure. Hosting by the ASF is by no means ideal, but perhaps compromise here is reasonable. I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o? We built our own new infrastructure for that. Good for LO. More for AOOo to cleanup... So - I am still fairly firmly convinced that this security thing is not going to pan out. Here is my potted history of it: * initial request for continuing the traditional, friendly cross membership of security lists + turned down at AOOoI: Apache Committers only * requests for a neutral list with neutral name turn into: + ASF openoffice.org -are-neutral-; proof by assertion * more compromise proposals arrive + these have high level ASF governance hard-wired I can see how you would perceive the history this way. I think it would help to have a single ML and I think that is more important than the address. securityt...@openoffice.org can be made to forward to that address if necessary. This doesn't make it seem like we're going anywhere productive, which is fine - there is no huge problem with having two separate public facing security lists that can have cross membership on them. Since there is no TDF affiliated admin for the currently suggested, Apache controlled, 'neutral' security list, extracting a membership list of that would be appreciated - so we can mirror it in a suitable other place. It would be good for the AOOo PPMC to see this list as well. I think that the actual membership should be shared in private. Would someone with appropriate karma on the OOo MLs please provide this. I'm also minded to consider the relative grief of endlessly re-hashing this issue vs. actually fixing whatever bugs are found. Can we not just move on. You suggested: officesecur...@lists.freedesktop.org The comment was that this was not an appropriate domain name as not all of the Office Space is Linux. So, the open question is where the list is hosted. Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't it? Regards, Dave All the best, Michael. -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher dave2w...@comcast.net wrote: Hi Michael, On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote: Hi Dave, On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote: Not sure how much this is like your original proposal, but maybe the following is acceptable: (1) The securityt...@openoffice.org continues. As mentioned, not happy about an openoffice.org domain; LibreOffice is not openoffice.org, that is not really neutral. Understood. It is a requirement for a neutral address. On our side it is a desire for the same address (2) The membership of securityteam ML should be open to individuals and forks/downstreams as selected by the ML membership. Fine - though I'd characterise AOOoI as a fork too if this is used as a loaded term. Not meant to be loaded. As in another email exchange with Simon, PEER relationships without regard to perceived historical relationships. (3) The securityteam ML moderators are selected from the individual membership of the securityteam ML. Fine. (4) The securityteam ML is nominally under the governance of the ASF - either the AOOo podling PPMC, the Apache Security Team, or even the Foundation Board. I think the AOOo podling PPMC should be acceptable, but we can ask the other entities if that is not is not neutral enough. We may ask the TDF to neutrally host some component and it would make sense for each entity to trust the neutrality of the other entity (Rob's real point). Totally un-acceptable, I'm sorry. The Apache project is by no means neutral. The decision to take on AOOoI and the actions of that project are its responsibility. By nominally I meant only the minimum required by any responsible host who opens their facilities to the public. However, this is moot (does not matter) if the address is not in a domain that the ASF is responsible. (5) No iCLAs are required. Of course. (6) A set point for membership is determined when at least AOOo, TDF, and any other OOo fork/downstreams who might appear within a reasonably short time period. The deadline would need to be agreed. I would not have a process - we should just include everyone competent who has a reason to be there; that is normally fairly easy to work out relationally; if not the moderators can thrash it out. If it is a multi-vendor, neutral list I don't envisage controversy there. I don't either. My thought was to give individuals / peer projects time to appear. If they are welcomed gladly by the list after the list's establishment then no troubles. (7) The securityt...@openoffice.org ML will be hosted by the ASF when the MX for openoffice.org is moved to ASF Infrastructure. Hosting by the ASF is by no means ideal, but perhaps compromise here is reasonable. I'm currently curious if LO uses extensions.s.oo.o and templates.s.oo.o? We built our own new infrastructure for that. Good for LO. More for AOOo to cleanup... So - I am still fairly firmly convinced that this security thing is not going to pan out. Here is my potted history of it: * initial request for continuing the traditional, friendly cross membership of security lists + turned down at AOOoI: Apache Committers only * requests for a neutral list with neutral name turn into: + ASF openoffice.org -are-neutral-; proof by assertion * more compromise proposals arrive + these have high level ASF governance hard-wired I can see how you would perceive the history this way. I think it would help to have a single ML and I think that is more important than the address. securityt...@openoffice.org can be made to forward to that address if necessary. This doesn't make it seem like we're going anywhere productive, which is fine - there is no huge problem with having two separate public facing security lists that can have cross membership on them. Since there is no TDF affiliated admin for the currently suggested, Apache controlled, 'neutral' security list, extracting a membership list of that would be appreciated - so we can mirror it in a suitable other place. It would be good for the AOOo PPMC to see this list as well. I think that the actual membership should be shared in private. Would someone with appropriate karma on the OOo MLs please provide this. -1 to that. Sharing subscriber lists with other organizations is a violation of trust and violates personal data protection. However, if someone wants to send a note to securityteam, inviting members to subscriber to another list, as an opt-in, that would address those concerns. But it would be good to think this through, and see if we can avoid an infinite regress of mailing lists. We already have ooo-security and tdf-security and securityteam. Are we really going to create a 4th one based on one person's irrational distrust of
Re: Neutral / shared security list ...
Hello, it is really amazing how much hot air can be produced for such a topic. Folks, it's rather easy. After the recent discussions and the history of this topic, it becomes obvious, that neutral grounds are important. Neutral grounds mean: - no domain name related to Apache, OOo, TDF or LibO - no hosting at one of these entities - members of the list from both parties (and of course other third parties that make sense) - admins of the list from both parties I'd also avoid any of the German associations, either directly or via donations, since stakeholders at both projects are in their respective boards, which might raise concerns towards neutrality. What's so complicated to understand here? We can bury ourselves with senselessly quoting bullshit from dictionaries, wikipedia or a philospher of our choice, or finally start working on things. A concrete proposal: - We can use either FreeDesktop.org, - or in case this is seen as non-neutral as it hosts also a few TDF lists (not all), go for SourceForge. - I am also happy to ask a friend of mine who is in the business of mail server consultancy, to host that list under a neutral domain name. He hosts various lists for free projects. In case that's not neutral enough as he's a friend, I know none of the admins at SourceForge. So, is there any *compelling* reason not to try out one of these three options? Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
[Proposal] Security coordination without a shared list
There is an easy way to avoid all the trust issues with regards to shared mailing lists. Don't have such a list. Trust individuals. This proposal takes this approach. 1) The AOOo PMC solicits the names of security contacts from related projects who wish to be consulted related to pre-disclosure coordination related to analysis and resolution of reported security vulnerabilities. Names of individuals are preferred over opaque mailing lists. Trust can be established based on a PGP/GPG web of trust. These names and addresses are stored confidentially in the PPMC's private SVN directory. 2) The AOOo security team reaches out to these contacts, as appropriate,v ia their preferred contact mechanism, to coordinate on specific vulnerabilities. We (Apache) would cc ooo-security on our external emails, as required by Apache policy [1]. 3) Other groups would be encouraged to reach out to AOOo in similar circumstances via our preferred contact mechanism, ooo-security. 4) This fully allows targeted collaboration on specific issues, via each project's preferred contact mechanism, without requiring the maintenance of an additional email list. 5) If we want to discuss security in general, then that can/should happen on public dev lists.That public discussion could occur anywhere. [1]: http://www.apache.org/security/committers.html
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 11:56 AM, Florian Effenberger flo...@documentfoundation.org wrote: Hello, it is really amazing how much hot air can be produced for such a topic. Folks, it's rather easy. After the recent discussions and the history of this topic, it becomes obvious, that neutral grounds are important. Neutral grounds mean: - no domain name related to Apache, OOo, TDF or LibO - no hosting at one of these entities - members of the list from both parties (and of course other third parties that make sense) - admins of the list from both parties Sorry, but you build an incredible about of distrust in others if you express such irrational distrust in AOOo. I'd have extreme hesitation to work with anyone who exhibs such vehement distrust of an 11 year old open source foundation that produces 5 of the top 10 open source projects, and which has a stellar reputation in the industry, including its treatment of security vulnerabilities. -Rob I'd also avoid any of the German associations, either directly or via donations, since stakeholders at both projects are in their respective boards, which might raise concerns towards neutrality. What's so complicated to understand here? We can bury ourselves with senselessly quoting bullshit from dictionaries, wikipedia or a philospher of our choice, or finally start working on things. A concrete proposal: - We can use either FreeDesktop.org, - or in case this is seen as non-neutral as it hosts also a few TDF lists (not all), go for SourceForge. - I am also happy to ask a friend of mine who is in the business of mail server consultancy, to host that list under a neutral domain name. He hosts various lists for free projects. In case that's not neutral enough as he's a friend, I know none of the admins at SourceForge. So, is there any *compelling* reason not to try out one of these three options? Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
Hi, Rob Weir wrote on 2011-10-25 18:11: Sorry, but you build an incredible about of distrust in others if you express such irrational distrust in AOOo. I'd have extreme hesitation to work with anyone who exhibs such vehement distrust of an 11 year old open source foundation that produces 5 of the top 10 open source projects, and which has a stellar reputation in the industry, including its treatment of security vulnerabilities. where did I express distrust in AOOo? I was explaining what neutral means. Is there anything wrong in the explanation of neutrality in this case? One could also say you express distrust to people who have been involved with OpenOffice.org for nearly a decade. But insults like these lead to nowhere. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 12:20 PM, Florian Effenberger flo...@documentfoundation.org wrote: Hi, Rob Weir wrote on 2011-10-25 18:11: Sorry, but you build an incredible about of distrust in others if you express such irrational distrust in AOOo. I'd have extreme hesitation to work with anyone who exhibs such vehement distrust of an 11 year old open source foundation that produces 5 of the top 10 open source projects, and which has a stellar reputation in the industry, including its treatment of security vulnerabilities. where did I express distrust in AOOo? I was explaining what neutral means. Is there anything wrong in the explanation of neutrality in this case? One could also say you express distrust to people who have been involved with OpenOffice.org for nearly a decade. But insults like these lead to nowhere. My point is that neutrality does not increase trust. You may say Apache is not neutral, but I say Apache is trusted in this industry in security matters, with security researchers, users and corporations, and this trust is far greater than any trust you will have with a new ad-hoc little security list that you create today, with ad hoc governance. I'm more concerned with trust than with neutrality. Users are more concerned with trust. Security reporters are more concerned with trust. And I recommend that you start being more concerned with trust, users and security. It is mind boggling that we're having a discussion about an important topic -- how we handle security vulnerabilities -- and the discussion is being led based entirely on non-security considerations, without hardly a mention of users, and instead dwelling on one party's paranoia. This does not make sense. -Rob Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
Hi, Rob Weir wrote on 2011-10-25 18:26: It is mind boggling that we're having a discussion about an important topic -- how we handle security vulnerabilities -- and the discussion is being led based entirely on non-security considerations, without hardly a mention of users, and instead dwelling on one party's paranoia. This does not make sense. if you want, I can perfectly write you paragraphs about why TDF, why FrODeV or why any other entity is trustworthy and/or neutral. Again, this doesn't lead to anywhere in this case. Name me one argument that speaks against my proposal, other than personal feelings. Otherwise I'm not wasting my time anymore with discussing that topic here, it really leads to nowhere. I made a proposal on how to have neutral grounds, and if all parties are involved, trust should be given as well. Users will benefit. Everyone happy. Easy, isn't it? Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: [PATCH] Fix for #118485#, #108221#, #67705#
Hi Armin, Armin Le Grand schrieb: [..] I checked all changes again and added the patch to #118485#. Now I'm looking for someone volunteering to add the patch, build AOOo and play around with OLEs a little bit, reading the patch will also help in this case, it's not too big to do so. I did some further tests. I have taken some older documents, where the transformations are done via matrix (you know them). Chart and Math-Formulas behave now the same way as simple drawing objects. So that is OK. OOo sxd-documents are converted fine, the fill style and the line style is corrected to NONE. The change looks big, but it touches no too critical parts. It is also necessary to bring it in AOOo3.4, this change relies on a version change (here: 3.3 to 3.4) to be able to correct files written by OOo up to 3.3 (and only those). Some background: The root problem here was that older versions straight ignored attributes set at OLE objects by just not painting them. This means that in files generated the attributes are written and in plain ODF OLEs are filled default (blue8) and have line on default (black hairline). Documents made with LibreOffice are not converted. The background is blue and the line black. Is a solution possible inside AOOo? Should it be done? I have written a Basic macro to set the background and line style to NONE. Developing it I have noticed, that the Math-objects do not support the services LineProperties and FillProperties. But I can set the single properties 'LineStyle' and 'FillStyle' and Xray lists all the other properties. So shouldn't they support these services? Questions/Comments are welcome, Armin Kind regards Regina
Re: Neutral / shared security list ...
Hi Dave, First - thanks for being so reasonable :-) it is rather refreshing to talk details in a pleasant fashion. On Tue, 2011-10-25 at 08:24 -0700, Dave Fisher wrote: However, this is moot (does not matter) if the address is not in a domain that the ASF is responsible. Fair enough, seems we're on the same page here then. I would not have a process - we should just include everyone competent who has a reason to be there; that is normally fairly easy to work out relationally; if not the moderators can thrash it out. If it is a multi-vendor, neutral list I don't envisage controversy there. I don't either. My thought was to give individuals / peer projects time to appear. If they are welcomed gladly by the list after the list's establishment then no troubles. Sure - I suspect pre-populating with the previous guys, adding a few more interested relevant parties and so on would be fine. I think it would help to have a single ML and I think that is more important than the address. Completely agreed. securityt...@openoffice.org can be made to forward to that address if necessary. Sure. It would be good for the AOOo PPMC to see this list as well. I think that the actual membership should be shared in private. Would someone with appropriate karma on the OOo MLs please provide this. That'd be Rob or Malte or Martin? I suspect. You suggested: officesecur...@lists.freedesktop.org Yep, luckily it is not created just yet. The comment was that this was not an appropriate domain name as not all of the Office Space is Linux. So, the open question is where the list is hosted. Sure; so freedesktop is chosen only because it happens to be close to hand, and more neutral than anything else I could think of in five seconds, and less lame than eg. a sourceforge address. I had hoped that there would be volunteers with more fun-sounding domains around that could host a mailing list. IMHO it doesn't need to have ultra-rocket powered security / mail encryption features - the problems are mostly rather banal. Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't it? Gosh - actually, I don't know. It is really not that clear to me where Martin co. stands on these things, though having read his intro mail here which seemed (to me) to suggest that TDF should give up go home ;-) I'd tend to agree with that neutrality concern. Of course, perhaps this is all overblown anyway; if the openoffice.org domain was to become something common to, and shared by all those distributing binaries based on the code, that might be the neutral place we're looking for. Of course, so far its clear to me what the plans are for the domain. So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. That'd give a neutral venue, name, back-compat, no need to use the freedesktop brand for AOOoI etc. What do you think ? Thanks, Michael -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
Hi, Rob Weir wrote on 2011-10-25 18:38: I believe it is a bad pattern to establish for collaboration. We need to recognize that TDf/LO exists as a project, and AOOo exists as a project. Once we acknowledge this then it logically follows that collaboration will occur between these two projects. Do we create a new mailing list or website, or wiki or whatever, every time we want to collaborate? Is that what we really want to start doing? If we want to coordinate on maintaining a module, we can't do it at Apache? If we want to share translation strings, we can't do it at TDF? If we want to share anything, we need to create and maintain an entirely new infrastructure for it? Sorry, that does not make sense. answering questions with other questions does not make sense. Again, given the history of this topic, I think neutral grounds make sense. I made a proposal, and so far I have not heard any compelling reason why this proposal is wrong. And I doubt you will name me one, because there is none. Out for today, doing things that make sense. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
Rob, Some points and a slight criticism about your style which is to put it mildly an acquired taste. On Oct 25, 2011, at 8:41 AM, Rob Weir wrote: On Tue, Oct 25, 2011 at 11:24 AM, Dave Fisher dave2w...@comcast.net wrote: Hi Michael, On Oct 25, 2011, at 3:47 AM, Michael Meeks wrote: Hi Dave, On Mon, 2011-10-24 at 16:25 -0700, Dave Fisher wrote: Not sure how much this is like your original proposal, but maybe the following is acceptable: (1) The securityt...@openoffice.org continues. As mentioned, not happy about an openoffice.org domain; LibreOffice is not openoffice.org, that is not really neutral. Understood. It is a requirement for a neutral address. On our side it is a desire for the same address Rob - you've been misquoting Michael about neutral. Here he expressed his view succinctly. I also think you might have finally have made clear about what you mean by neutrality in your exchange with Florian. I think you mean a measure of trust, but verify. snip So - I am still fairly firmly convinced that this security thing is not going to pan out. Here is my potted history of it: * initial request for continuing the traditional, friendly cross membership of security lists + turned down at AOOoI: Apache Committers only * requests for a neutral list with neutral name turn into: + ASF openoffice.org -are-neutral-; proof by assertion * more compromise proposals arrive + these have high level ASF governance hard-wired I can see how you would perceive the history this way. I think it would help to have a single ML and I think that is more important than the address. securityt...@openoffice.org can be made to forward to that address if necessary. This doesn't make it seem like we're going anywhere productive, which is fine - there is no huge problem with having two separate public facing security lists that can have cross membership on them. Since there is no TDF affiliated admin for the currently suggested, Apache controlled, 'neutral' security list, extracting a membership list of that would be appreciated - so we can mirror it in a suitable other place. It would be good for the AOOo PPMC to see this list as well. I think that the actual membership should be shared in private. Would someone with appropriate karma on the OOo MLs please provide this. -1 to that. Sharing subscriber lists with other organizations is a violation of trust and violates personal data protection. -1 is anti-social. -1 to your -1. Please stop these -1s. You don't win any friends this way. You drive people away. I had to waste time being annoyed. However, if someone wants to send a note to securityteam, inviting members to subscriber to another list, as an opt-in, that would address those concerns. If the AOOo podling is responsible for the governance of the securityteam@oo.o list then it deserves to know who the heck is on the list. If the PEER constituents of a shared securityteam@oo.o (or whatever list is decided) cannot know the membership of that list then then the project should have zero to do with that list. I know that the situation is not this extreme, but your -1s invite extreme reactions. But it would be good to think this through, and see if we can avoid an infinite regress of mailing lists. We already have ooo-security and tdf-security and securityteam. Are we really going to create a 4th one based on one person's irrational distrust of Apache? What if we create that list and someone else expresses irrational distrust of that list? (And don't say it could not happen). And then the same thing with a 5th list? I think it is easier just to work toward a security list with rational participants on it. We are deciding what to do with securityteam@oo.o. Does it continue or is it replaced by another list? We are NOT deciding on 4th or 5th lists. Put those cats back in your hat, they are distractions for a rainy day. (Yes, I learned recursion from Dr. Seuss!) Regards, Dave -Rob I'm also minded to consider the relative grief of endlessly re-hashing this issue vs. actually fixing whatever bugs are found. Can we not just move on. You suggested: officesecur...@lists.freedesktop.org The comment was that this was not an appropriate domain name as not all of the Office Space is Linux. So, the open question is where the list is hosted. Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't it? Regards, Dave All the best, Michael. -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger flo...@documentfoundation.org wrote: Hi, Rob Weir wrote on 2011-10-25 18:38: I believe it is a bad pattern to establish for collaboration. We need to recognize that TDf/LO exists as a project, and AOOo exists as a project. Once we acknowledge this then it logically follows that collaboration will occur between these two projects. Do we create a new mailing list or website, or wiki or whatever, every time we want to collaborate? Is that what we really want to start doing? If we want to coordinate on maintaining a module, we can't do it at Apache? If we want to share translation strings, we can't do it at TDF? If we want to share anything, we need to create and maintain an entirely new infrastructure for it? Sorry, that does not make sense. answering questions with other questions does not make sense. Again, given the history of this topic, I think neutral grounds make sense. I made a proposal, and so far I have not heard any compelling reason why this proposal is wrong. And I doubt you will name me one, because there is none. It is like making a baby. If you are covered head to toe in latex, it ain't going to happen. You're trying to do collaboration in a hermetically sealed box, wearing gloves and pinching your nose so you don't have to smell the other party. Nothing useful will come from that sterile approach. Those who want to collaborate need to start getting dirty, working on each other's existing mailing lists (sacre bleu!) and acting more like hackers and less like cold war diplomats arguing over the shape of the negotiating table. Collaboration is not about neutrality. It is about collaboration. The sooner we acknowledge this out the sooner we'll achieve results. Again, I invite you to accept our hospitality graciously, and continue participation in the long-established OOo secrurityteam mailing list, soon to be under Apache control and hosting. I'd also love it if you thought of some TDF-hosted service, in some other area, where you could return the favor and allow us the honor of accepting your hospitality, and give us the opportunity to demonstrate that we have no problems in principle with collaborating with TDF/LO on web sites that they control. -Rob Out for today, doing things that make sense. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
On 25 October 2011 18:01, Rob Weir robw...@apache.org wrote: On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger flo...@documentfoundation.org wrote: Hi, Rob Weir wrote on 2011-10-25 18:38: I believe it is a bad pattern to establish for collaboration. We need to recognize that TDf/LO exists as a project, and AOOo exists as a project. Once we acknowledge this then it logically follows that collaboration will occur between these two projects. Do we create a new mailing list or website, or wiki or whatever, every time we want to collaborate? Is that what we really want to start doing? If we want to coordinate on maintaining a module, we can't do it at Apache? If we want to share translation strings, we can't do it at TDF? If we want to share anything, we need to create and maintain an entirely new infrastructure for it? Sorry, that does not make sense. answering questions with other questions does not make sense. Again, given the history of this topic, I think neutral grounds make sense. I made a proposal, and so far I have not heard any compelling reason why this proposal is wrong. And I doubt you will name me one, because there is none. It is like making a baby. Well babies are usually made from love and tenderness (unless it's a mistake) and I don't see too much of that in this approach. At least to get started why not do it on a neutral list? Florian has made a perfectly reasonable case for it. Is that so much to give up just to get something going? In terms of baby making I'd say we need some serious marriage guidance before even talking about getting in bed together never mind wrapping anything in latex. As a PPMC member I think we should show good will by going along with Florian's suggestion and at least get one area of definite cooperation. Where it happens is totally irrelevant. If you are covered head to toe in latex, it ain't going to happen. You're trying to do collaboration in a hermetically sealed box, wearing gloves and pinching your nose so you don't have to smell the other party. Nothing useful will come from that sterile approach. Those who want to collaborate need to start getting dirty, working on each other's existing mailing lists (sacre bleu!) and acting more like hackers and less like cold war diplomats arguing over the shape of the negotiating table. Collaboration is not about neutrality. It is about collaboration. The sooner we acknowledge this out the sooner we'll achieve results. Again, I invite you to accept our hospitality graciously, and continue participation in the long-established OOo secrurityteam mailing list, soon to be under Apache control and hosting. I'd also love it if you thought of some TDF-hosted service, in some other area, where you could return the favor and allow us the honor of accepting your hospitality, and give us the opportunity to demonstrate that we have no problems in principle with collaborating with TDF/LO on web sites that they control. -Rob Out for today, doing things that make sense. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Ian Ofqual Accredited IT Qualifications (The Schools ITQ) www.theINGOTs.org +44 (0)1827 305940 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth, Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and Wales.
Re: Neutral / shared security list ...
Hi Michael, On Oct 25, 2011, at 9:35 AM, Michael Meeks wrote: Hi Dave, First - thanks for being so reasonable :-) it is rather refreshing to talk details in a pleasant fashion. You are welcome! I'm looking for common ground and I am trying to listen to logic. On Tue, 2011-10-25 at 08:24 -0700, Dave Fisher wrote: However, this is moot (does not matter) if the address is not in a domain that the ASF is responsible. Fair enough, seems we're on the same page here then. I would not have a process - we should just include everyone competent who has a reason to be there; that is normally fairly easy to work out relationally; if not the moderators can thrash it out. If it is a multi-vendor, neutral list I don't envisage controversy there. I don't either. My thought was to give individuals / peer projects time to appear. If they are welcomed gladly by the list after the list's establishment then no troubles. Sure - I suspect pre-populating with the previous guys, adding a few more interested relevant parties and so on would be fine. I think it would help to have a single ML and I think that is more important than the address. Completely agreed. securityt...@openoffice.org can be made to forward to that address if necessary. Sure. It would be good for the AOOo PPMC to see this list as well. I think that the actual membership should be shared in private. Would someone with appropriate karma on the OOo MLs please provide this. That'd be Rob or Malte or Martin? I suspect. One or more of those three I think. Membership is a side issue from the plan. You suggested: officesecur...@lists.freedesktop.org Yep, luckily it is not created just yet. The comment was that this was not an appropriate domain name as not all of the Office Space is Linux. So, the open question is where the list is hosted. Sure; so freedesktop is chosen only because it happens to be close to hand, and more neutral than anything else I could think of in five seconds, and less lame than eg. a sourceforge address. I had hoped that there would be volunteers with more fun-sounding domains around that could host a mailing list. IMHO it doesn't need to have ultra-rocket powered security / mail encryption features - the problems are mostly rather banal. Martin mentions hosting at Team OpenOffice, but that fails your neutrality test doesn't it? Gosh - actually, I don't know. It is really not that clear to me where Martin co. stands on these things, though having read his intro mail here which seemed (to me) to suggest that TDF should give up go home ;-) I'd tend to agree with that neutrality concern. Of course, perhaps this is all overblown anyway; if the openoffice.org domain was to become something common to, and shared by all those distributing binaries based on the code, that might be the neutral place we're looking for. Of course, so far its clear to me what the plans are for the domain. We do plan to port www.openoffice.org to support all the current non AL releases and archives. It will be branded in a way approved by the ASF removing Oracle logos, etc. While the AOOo project will control the website content through the Apache SVN, there is no reason that some of the openoffice.org services couldn't be hosted elsewhere. The main requirements would be OOo branding and nominal AOOo oversight. So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. That'd give a neutral venue, name, back-compat, no need to use the freedesktop brand for AOOoI etc. What do you think ? I think we are getting somewhere. The last detail is which is the real ML and which is the forwarder. While the AOOo project might prefer to have that be the original securityteam@oo.o the best choice is really technical. Let's think about the operation from the point of view of the user who sends a report to this two headed list. By default when a reply is sent it will have a reply-to from the real ML. If the user sent the message to the forwarding ML they may be confused (and upset.) I think where the real shared securityteam ML exists should be determined by the flexibility in handling this situation. Ideally the user should feel that they are conversing with the ML they think they are sending to. In the absence of such flexibility from a ML host then clear instructions on the site that links to the forwarding ML should be enough. The simplest solution would be for TDF to setup a forwarder to the existing securityteam@oo.o. I suspect the best solution might be the other way, but would need to know the provider and what special services they have. Regards, Dave
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 1:18 PM, Ian Lynch ianrly...@gmail.com wrote: On 25 October 2011 18:01, Rob Weir robw...@apache.org wrote: On Tue, Oct 25, 2011 at 12:46 PM, Florian Effenberger flo...@documentfoundation.org wrote: Hi, Rob Weir wrote on 2011-10-25 18:38: I believe it is a bad pattern to establish for collaboration. We need to recognize that TDf/LO exists as a project, and AOOo exists as a project. Once we acknowledge this then it logically follows that collaboration will occur between these two projects. Do we create a new mailing list or website, or wiki or whatever, every time we want to collaborate? Is that what we really want to start doing? If we want to coordinate on maintaining a module, we can't do it at Apache? If we want to share translation strings, we can't do it at TDF? If we want to share anything, we need to create and maintain an entirely new infrastructure for it? Sorry, that does not make sense. answering questions with other questions does not make sense. Again, given the history of this topic, I think neutral grounds make sense. I made a proposal, and so far I have not heard any compelling reason why this proposal is wrong. And I doubt you will name me one, because there is none. It is like making a baby. Well babies are usually made from love and tenderness (unless it's a mistake) and I don't see too much of that in this approach. At least to get started why not do it on a neutral list? Florian has made a perfectly reasonable case for it. Is that so much to give up just to get something going? In terms of baby making I'd say we need some serious marriage guidance before even talking about getting in bed together never mind wrapping anything in latex. As a PPMC member I think we should show good will by going along with Florian's suggestion and at least get one area of definite cooperation. Where it happens is totally irrelevant. Then perhaps pursue one of the 6 or other options I raised for collaboration, unrelated to security. But I think we do poorly if PPMC members who are not involved with security use this list proposal as their playground for collaborative experimentation. There is a reason why we created a separate ooo-security list with only a subset of PPMC members. If you are covered head to toe in latex, it ain't going to happen. You're trying to do collaboration in a hermetically sealed box, wearing gloves and pinching your nose so you don't have to smell the other party. Nothing useful will come from that sterile approach. Those who want to collaborate need to start getting dirty, working on each other's existing mailing lists (sacre bleu!) and acting more like hackers and less like cold war diplomats arguing over the shape of the negotiating table. Collaboration is not about neutrality. It is about collaboration. The sooner we acknowledge this out the sooner we'll achieve results. Again, I invite you to accept our hospitality graciously, and continue participation in the long-established OOo secrurityteam mailing list, soon to be under Apache control and hosting. I'd also love it if you thought of some TDF-hosted service, in some other area, where you could return the favor and allow us the honor of accepting your hospitality, and give us the opportunity to demonstrate that we have no problems in principle with collaborating with TDF/LO on web sites that they control. -Rob Out for today, doing things that make sense. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Ian Ofqual Accredited IT Qualifications (The Schools ITQ) www.theINGOTs.org +44 (0)1827 305940 The Learning Machine Limited, Reg Office, 36 Ashby Road, Tamworth, Staffordshire, B79 8AQ. Reg No: 05560797, Registered in England and Wales.
Re: [Proposal] Security coordination without a shared list
Rob, I'd like to actually try to work out the shared list situation with a sincere spirit of mutual understanding, listening and co-operation. On Oct 25, 2011, at 9:08 AM, Rob Weir wrote: There is an easy way to avoid all the trust issues with regards to shared mailing lists. Don't have such a list. Trust individuals. This proposal takes this approach. 1) The AOOo PMC solicits the names of security contacts from related projects who wish to be consulted related to pre-disclosure coordination related to analysis and resolution of reported security vulnerabilities. Names of individuals are preferred over opaque mailing lists. Trust can be established based on a PGP/GPG web of trust. These names and addresses are stored confidentially in the PPMC's private SVN directory. Do you have software that actually exists that does this? Who is going to build this? 2) The AOOo security team reaches out to these contacts, as appropriate,v ia their preferred contact mechanism, to coordinate on specific vulnerabilities. We (Apache) would cc ooo-security on our external emails, as required by Apache policy [1]. Replies would not necessarily be cc'd to ooo-security and that would be a problem. 3) Other groups would be encouraged to reach out to AOOo in similar circumstances via our preferred contact mechanism, ooo-security. 4) This fully allows targeted collaboration on specific issues, via each project's preferred contact mechanism, without requiring the maintenance of an additional email list. 5) If we want to discuss security in general, then that can/should happen on public dev lists.That public discussion could occur anywhere. [1]: http://www.apache.org/security/committers.html Time to be productive today. Regards, Dave
Re: Draft mailing list notification post
I wonder if this is too technically detailed. Since the recipient is a ML user that impact should be noted near the top. The information about what the ASF / podling process is all about should be at the end. Information here to go to find out about AOOo release plans would be helpful. A wiki page with updates. A link to the ooo blog. On Oct 25, 2011, at 5:57 AM, Rob Weir wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: working on a OpenOffice roadmap
I'm at a dinner so my apoligies for the top-post, but really, I'm trying to help Pedro (and now it seems you) see things from /outside/ the Apache worldview and understand why the mistrust is brewing. I can recidte the Apache mantra too, it's just no-one here needs to hear it any more :-) -- Simon Phipps {Terse? Mobile!} On Oct 25, 2011 3:01 PM, Shane Curcuru a...@shanecurcuru.org wrote: Thank you Pedro for the very well thought out and politely presented explanation of your point. It's very helpful to have this kind of honest and detailed discussion, especially when tempers run high, and doubly so when there's such a clear (and unfortunate) distrust between AOOo community members and folks working on TDF/LO. Personally, I agree: the point is that if TDF/LO also encourages / documents as an additional optional step / even simply allows in some obvious public way for people submitting patches that could apply to AOOo under both licenses, that would be a big win for the ecosystem. AOOo code will already be fully useable by LO, so I find it hard to see what the harm is in allowing TDF/LO contributors to know about the option of dual licensing specific patches under the AL. This is certainly not something aimed at hurting LO, and certainly doesn't apply to new or changed work in LO. But it would be nice to discuss the possibility of having code that both projects can use without getting everyone's hackles up. Especially since the alternative seems to be that Simon (I think) is saying he'd effectively rather see everyone contributing code exclusively to one project, and explicitly not allowing it to be contributed into the other. This is exactly why I believe in the Apache license. I believe that *people* should be free. Users of our Apache software should be free to use it as they see fit. If they contribute changes back, that's great - but what's important for open source is that humans now have access to a wealth of powerful software for free that they can use openly, easily, and for their own purposes, without undue restrictions. - Shane P.S. and really, while the iCLA is a required step to become a committer at Apache, it really shouldn't be such a large club to hit us over the head repeatedly. It's not needed for most patches like I thought we were discussing here. On 10/25/2011 7:25 AM, Pedro Giffuni wrote: Hi Simon; I try to give people the benefit of the doubt. Ethos is something that goes well beyond a license, and once you read the iCLA its not an imposible thing to ask ( you signed it), and its surely not what SUN had in place. That said, and its something I have argued about publicly with Rob, while the iCLA is a requisite to become a committer, it is not a requisite to contribute. Furthermore, once we start doing releases (and trust me, we will get there) they are likely to start including AL2 code anyways. Am I naive? Yes. I was never part of the previous OOo community led by SUN so perhaps not having that trauma helps me see things a lot simpler than they are. There is an evident lack of confidence in us over there and as I said before, in private, we cant start activities like a shared security list if there is no confidence first. I stand to the principle that we are neutral, and that every vendor or community member is free to join or leave whenever they want Pedro. --- On Tue, 10/25/11, Simon Phippssi...@webmink.com wrote: On Mon, Oct 24, 2011 at 8:20 PM, Pedro Giffunip...@apache.org wrote: If libreoffice encourages, but not requires, AL2 for stuff in the core package, that would be a huge advance to get a bit nearer both camps. Given licenses are the expression of the ethos of a community, it's disingenuous and divisive to assume any community will drop its governance approach like this, Pedro. It translates as the path to collaboration is your surrender; we can negotiate once you've done that. You make it sound so innocent, too, by missing out the other requirement that Apache would have for contributors to sign an ICLA and thus join Apache :-) S.
Re: Neutral / shared security list ...
On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote: You are welcome! I'm looking for common ground and I am trying to listen to logic. :-) So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. .. What do you think ? I think we are getting somewhere. The last detail is which is the real ML and which is the forwarder. While the AOOo project might prefer to have Fair point - for ultra-fairness we should perhaps publish two forwarding addresses - securityteam@oo.o and securityteam@tdf one each, both pointing at the neutrally hosted list. Regards, Michael. -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot
Re: Draft mailing list notification post
On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisher dave2w...@comcast.net wrote: I wonder if this is too technically detailed. Since the recipient is a ML user that impact should be noted near the top. The information about what the ASF / podling process is all about should be at the end. The feedback we received when we sent an earlier list migration note to the users and discuss list, after we initially set up ooo-users, was along the lines of Who the hell are you and why is this the first we are hearing about the migration?. That is why I put the introductory ASF stuff at the top, to put it in context. Of course, doing that could lead people to ignore the note, thinking there is nothing important in it. So that's why I started by saying the note was important. But I realize that that itself could increase the chance of the email being ignored, since emails that say they are important rarely are. So how can we have both an good intro as well as get a high response rate? Maybe split this into two emails, and space them a week apart? So one email that is the intro, gives the background on the Incubation, the migration effort, etc. Short and sweet. They might actually read it. Then follow a week later with As we previously mentioned in our note last week We're starting the list migration now. To join the new list you will need to Would that be better? Information here to go to find out about AOOo release plans would be helpful. A wiki page with updates. We have a release plan? I suppose we can put a placeholder page. A link to the ooo blog. Good idea. Maybe also include on every post a link to the ooo-dev and ooo-users lists, since those are our main ones. -Rob On Oct 25, 2011, at 5:57 AM, Rob Weir wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 1:55 PM, Michael Meeks michael.me...@suse.comwrote: On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote: You are welcome! I'm looking for common ground and I am trying to listen to logic. :-) So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. .. What do you think ? I think we are getting somewhere. The last detail is which is the real ML and which is the forwarder. While the AOOo project might prefer to have Fair point - for ultra-fairness we should perhaps publish two forwarding addresses - securityteam@oo.o and securityteam@tdf one each, both pointing at the neutrally hosted list. Regards, Michael. -- michael.me...@suse.com , Pseudo Engineer, itinerant idiot +1 for neutral ground -Wolf -- This Apt Has Super Cow Powers - http://sourcefreedom.com
Re: Draft mailing list notification post
Am 10/25/2011 07:58 PM, schrieb Rob Weir: On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisherdave2w...@comcast.net wrote: I wonder if this is too technically detailed. Since the recipient is a ML user that impact should be noted near the top. The information about what the ASF / podling process is all about should be at the end. The feedback we received when we sent an earlier list migration note to the users and discuss list, after we initially set up ooo-users, was along the lines of Who the hell are you and why is this the first we are hearing about the migration?. That is why I put the introductory ASF stuff at the top, to put it in context. Of course, doing that could lead people to ignore the note, thinking there is nothing important in it. So that's why I started by saying the note was important. But I realize that that itself could increase the chance of the email being ignored, since emails that say they are important rarely are. So how can we have both an good intro as well as get a high response rate? There will be always a number of people that will not do what you (we) would expect. So, we should try to make it best as possible. IMHO the draft is that. Maybe split this into two emails, and space them a week apart? So one email that is the intro, gives the background on the Incubation, the migration effort, etc. Short and sweet. They might actually read it. Then follow a week later with As we previously mentioned in our note last week We're starting the list migration now. To join the new list you will need to Would that be better? Maybe. But then the first mail should contain something like ... today we want to explain who we are, where the OOo project is going to and what will happen with this ML in x days. A second mail will be sent with more details and techncial stuff Information here to go to find out about AOOo release plans would be helpful. A wiki page with updates. We have a release plan? I suppose we can put a placeholder page. A link to the ooo blog. Good idea. Yes, some more links for the normal user. Maybe also include on every post a link to the ooo-dev and ooo-users lists, since those are our main ones. Marcus On Oct 25, 2011, at 5:57 AM, Rob Weir wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: [proposal] development for the first AOO release
Pedro ++ On Mon, Oct 24, 2011 at 11:26 AM, Pedro Giffuni p...@apache.org wrote: Please note that we are doing both simultaneously to avoid breaking the build. We do have to update the task list. There are some uncommitted advances (libegg, ucpp) and some WIP (nss), but there are still some binaries used in the windows build and the glibc stubs. Otherwise, we are doing pretty well and its a matter of hoping Oracle wont leave additional license holes in the SGA. Pedro. --- On Mon, 10/24/11, Oliver-Rainer Wittmann wrote: Hi, I would like to propose the following development milestones on our way to the first AOO release: - IP cleared milestone For this milestone we should remove all 3rd party components which are not compliant to Apache's Third-Party Licensing Policy [1]. All license headers in the source code files should be updated according to Oracle's SGA. Additionally, we may update certain information in the product in order to reflect that the product is now coming from Apache (e.g. the splash screen, the about dialog, ...). Then the IP review required by Apache could be performed in order to meet the corresponding requirements for our first release. This milestone would result in an OpenOffice.org missing a lot of important features, but this milestone would be the basis regarding Apache's IP rules. This milestone could be released according to the Apache rules. - features back milestone For this milestone we should work on bringing back the features which are lost in the previous milestone. I do not think that we have to bring back every feature for a first release. Thus, we would have got the possibility to work on the features which are of most interest. At some point we could create a release candidate and start working on stabilizing it for a first release, if we think that the must have features are back. In order to coordinate efforts and to avoid duplicate work I propose to use the IP clearance wiki page [2]. The basis for its content is more or less the Apache Migration wiki page [3]. Some additional information has been collected on certain 3rd party components. Also priorities have been assigned. But its content is not nailed in stone. It currently reflects more or less the input and opionions of the editing contributors to these IP clearance issues. Thus, it would be a living document to reflect our knowlegde about these IP clearance issues. It would also document our efforts and our decisions regarding these efforts. Any remarks/comments/improvements/adjustments? Any objections to follow such plan for our first release? Best regards, Oliver. P.S.: I will be out-of-office for the rest of the week. Thus, I will probably not reply to your input regarding my proposal this week - please excuse. References: [1] http://www.apache.org/legal/3party.html [2] https://cwiki.apache.org/confluence/display/OOOUSERS/IP_Clearance [3] http://ooo-wiki.apache.org/wiki/ApacheMigration -- This Apt Has Super Cow Powers - http://sourcefreedom.com
Re: [Proposal] Shutting down legacy OOo mailing lists
Hi Rob, On Oct 25, 2011, at 7:27 AM, Rob Weir wrote: On Mon, Oct 17, 2011 at 11:35 AM, Dave Fisher dave2w...@comcast.net wrote: snip In the three to four weeks that it will take to get to step (7) AOOo and Apache Infra should have control over the openoffice.org MX records. An easier alternative would be to decide what MX services we want to continue on openoffice.org and do the MX migration at this point. Even if it will bounce and/or forward email. Can we talk through that option a little more? Take a legacy list like us...@openoffice.org. If we try to handle this via the MX record, then that applies to the entire domain, all mailing lists as well as forwarding email account at openoffice.org. Is that correct? In other words, the MX record is at the level of openoffice.org, not at the level of us...@openoffice.org. Correct. It is the whole domain. So in the MX approach, is there any way to do a more gradual migration, or do we need to do it all at once, including the forwarding accounts? I know for web traffic, there is some flexibility at the subdomain level. But these are all the same domain, just differing by account. When we leave Kenai/Oracle and move to ASF we are doing it all at once. In advance we will need to tell Infrastructure what forwarders and mailboxes we require. They'll tell us if there are any mailboxes (like postmaster) that we might be required to monitor (could be none.) If securityteam@oo.o becomes a forwarder then that is one mailbox we don't need. Suppose there is some way to get over that. Then we could create identically named (or predictably mappable) equivalent lists using ezmlm. But since we're not able to automatically sign users up, the traffic forwarding would all end up in the moderator queues. Of course, these could be passed through. We could even white list the addresses. (or black list in the case of spammers) But it doesn't get people signed up on the ezmlm list. Where this might be useful is for cases where a legacy email list address is on a third party page, or maybe even in our own legacy list archives. Someone does a Google search and sees something that says, If you run into this problem, please send an email to f...@openoffice.org. Some degree of forwarding for these emails would ensure such users don't get lost. But we can't simple forward *.openoffice.org to a ooo-legacy-bucket.i.a.o email list, since many of the *.openoffice.org are personal forwarding addresses and contain personal content. And some lists are private lists. So any forwarding scheme would need to be very sensitive to these details and would likely need an actual enumeration of the 300 or so lists and the unknown number of official contact emails (webmaster, etc.) that we want to forward. Your excursion into hypotheticals has led you back to reality. We have a table of forwarders and we ask Apache Infrastructure to implement it as part of hosting openoffice.org's MX. The only question is if we need any openoffice.org mailboxes. I think we have to either keep a set of personal OOo forwarders ala apache.org forwarders, or none at all. Forwarders not kept will bounce. It is possible that we can control of the 550 (?) unknown user bounce message. We'll need to ask Infrastructure about it. We decided earlier not to keep personal forwarders. We could make it so all the committers on AOOo could have openoffice.org forwarders to their apache.org addresses which then forward where selected. Do you see that path in a similar way? Or do you see a simpler way of doing that? Without the digression, yes, similar, but with the added question about real mailboxes. Regards, Dave -Rob
Re: Draft mailing list notification post
On Tue, Oct 25, 2011 at 2:16 PM, Marcus (OOo) marcus.m...@wtnet.de wrote: Am 10/25/2011 07:58 PM, schrieb Rob Weir: On Tue, Oct 25, 2011 at 1:45 PM, Dave Fisherdave2w...@comcast.net wrote: I wonder if this is too technically detailed. Since the recipient is a ML user that impact should be noted near the top. The information about what the ASF / podling process is all about should be at the end. The feedback we received when we sent an earlier list migration note to the users and discuss list, after we initially set up ooo-users, was along the lines of Who the hell are you and why is this the first we are hearing about the migration?. That is why I put the introductory ASF stuff at the top, to put it in context. Of course, doing that could lead people to ignore the note, thinking there is nothing important in it. So that's why I started by saying the note was important. But I realize that that itself could increase the chance of the email being ignored, since emails that say they are important rarely are. So how can we have both an good intro as well as get a high response rate? There will be always a number of people that will not do what you (we) would expect. So, we should try to make it best as possible. IMHO the draft is that. Maybe split this into two emails, and space them a week apart? So one email that is the intro, gives the background on the Incubation, the migration effort, etc. Short and sweet. They might actually read it. Then follow a week later with As we previously mentioned in our note last week We're starting the list migration now. To join the new list you will need to Would that be better? Maybe. But then the first mail should contain something like ... today we want to explain who we are, where the OOo project is going to and what will happen with this ML in x days. A second mail will be sent with more details and techncial stuff We can also use the initial email to prompt the discussion on whether there is sufficient interest for an NL list. Requesting a new list can take 1 or 2 weeks, so we do need some lead time for this, An initial note could be useful for that purpose. Information here to go to find out about AOOo release plans would be helpful. A wiki page with updates. We have a release plan? I suppose we can put a placeholder page. A link to the ooo blog. Good idea. Yes, some more links for the normal user. Maybe also include on every post a link to the ooo-dev and ooo-users lists, since those are our main ones. Marcus On Oct 25, 2011, at 5:57 AM, Rob Weir wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: Neutral / shared security list ...
I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I fail to understand why the ASF is not considered neutral, deep inside I think the reason is simply because this year we got a bigger toy in our Christmas tree that they wanted. Hope I am wrong. We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. If there is no interest in bringing the code bases together I think there Is not much to gain on a shared security list on the long run. Pedro.
Re: Neutral / shared security list ...
Hi Pedro, *, On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I fail to understand why the ASF is not considered neutral, The ASF people is not the big problem. It is having @openoffice.org or @apache.org as part of the address. You wouldn't be OK with the list being @libreoffice.org or @documentfoundation.org, would you? Those are not neutral either. As I don't think this point is so hard to understand, I can only assume Rob is reiterating on this stuff and throwing in trust is what matters on purpose. This has nothing to do with trust. We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. So why do you think it is OK for TDF/LibreOffice to do so? (I know you're now switching from the neutrality issue to the administration part, but that once again is a different issue. Here is where trust also comes into play, but not any more than you have to trust the people who are subscribed to those lists) Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. For TDF, @apache.org or @openoffice.org would be unrelated, a different party. ciao Christian
Re: Shutdown of the download.services.openoffice.org host and its Mirrorbrain instance
Hi Robert, *, On Tue, Oct 25, 2011 at 5:05 PM, Robert Burrell Donkin robertburrelldon...@gmail.com wrote: On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier cl...@openoffice.org wrote: On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin robertburrelldon...@gmail.com wrote: On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier cl...@openoffice.org wrote: [...] Better to download the signature over HTTPS but yes, I see no reason why this approach could not be made to work With signature I meant a real signature (gpg signature), not a md5sum or sha1sum file. When it is a cryptographic signature, it doesn't matter how you download it, as it cannot be faked. (of course the user has to get the proper key, but that's a different issue) FWIW it's a defense in depth measure[1] [...] [1] Consider an attacker with some ability to fabricate convincing signatures. Define convincing signatures. If anyone were to be able to create convincing gpg singatures of Apache releases, then this... Downloading the signature from a trusted server means that such an attacker would need to replace an existing signature on secure hardware without detection. is moot anyway, the lesser problem to be concerned about. And this btw. is not any different than to download the torrent via https. So it is not a matter of infrastructure, but a matter of policy. Where's the URL for this policy? I didn't mean to imply there was a set-in-stone policy already. What I meant was that it is up to the project to decide whether torrents are used or not, that the technical implementation of using torrents is so simple that apache infrastructure is not needed at all. You want torrents, you got torrents. You don't want them, you just don't use them. (Of course I don't know whether Apache as a whole has a written policy or guidelines wrt. using torrents, but I don't think there is one) ciao Christian
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 2:52 PM, Christian Lohmaier cl...@openoffice.org wrote: Hi Pedro, *, On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I fail to understand why the ASF is not considered neutral, The ASF people is not the big problem. It is having @openoffice.org or @apache.org as part of the address. You wouldn't be OK with the list being @libreoffice.org or @documentfoundation.org, would you? Those are not neutral either. As I don't think this point is so hard to understand, I can only assume Rob is reiterating on this stuff and throwing in trust is what matters on purpose. This has nothing to do with trust. I think it has everything to do with trust, and nothing to do with neutrality. TDF is not the only other party in the universe. We are glad to hear your opinions, but they are not determinative of our actions. We also need to be concerned with the trust of users, with other downstream consumers and with security researchers. As a name, an apache.org addresses is far more trusted in this area than any new name that you might find for a list. In the end, trust is earned. It is not something you buy from GoDaddy. -Rob We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. So why do you think it is OK for TDF/LibreOffice to do so? (I know you're now switching from the neutrality issue to the administration part, but that once again is a different issue. Here is where trust also comes into play, but not any more than you have to trust the people who are subscribed to those lists) Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. For TDF, @apache.org or @openoffice.org would be unrelated, a different party. ciao Christian
Re: Neutral / shared security list ...
Hi Pedro, On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I appreciate your decision to focus on the code. Project management keeps pulling me away from code ... for too many years. I fail to understand why the ASF is not considered neutral, deep inside I think the reason is simply because this year we got a bigger toy in our Christmas tree that they wanted. Hope I am wrong. Michael Meeks and Florian have been explicit today that openoffice.org as a destination is not considered neutral by the TDF. I haven't explicitly asked if an apache.org address is not sufficiently neutral ... I suspect not. I think about this as a branding decision by TDF about LO and not our business. We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. There should be no doubt that ooo-security@i.a.o will remain as the project's security list. If there is a meta-list for security for all of the peers in the OOo / LO and the rest community. This is some confederation that shares security issues in a private manner between peers. The peers have the mutual interest of their communities in mind. If there is no interest in bringing the code bases together I think there Is not much to gain on a shared security list on the long run. There is a need for co-operation regardless of the code divergence. The code will retain significant commonality. The ODF format is a standard. There will be common security issues. One could argue that the such co-operative lists should include all of the Microsoft Office community as well. Both LO and OOo implement OOXML and the binary MS Office formats. I won't because I suspect that it is a bridge too far. Regards, Dave Pedro.
Re: [Proposal] Security coordination without a shared list
On 10/25/2011 09:08 AM, Rob Weir wrote: There is an easy way to avoid all the trust issues with regards to shared mailing lists. Don't have such a list. Trust individuals. This proposal takes this approach. Actually I personally like this idea. Why? There have been many statements/testimonies to the fact that the LO contains a great deal of code that is NOT in any of the OOo releases, and is now quite different. And, presumably, the LO development will continue to be different enough to warrant it's own separate universe of mailing lists. I think at some point if we decided we really truly wanted to have a shared security list, it would become very difficult to determine who was the responsible party for the grievances. I might be exaggerating the problems since I'm not a developer, but, then again, maybe not. So, although I'd love to see us work more closely with LO, I believe separate security lists are in order. 1) The AOOo PMC solicits the names of security contacts from related projects who wish to be consulted related to pre-disclosure coordination related to analysis and resolution of reported security vulnerabilities. Names of individuals are preferred over opaque mailing lists. Trust can be established based on a PGP/GPG web of trust. These names and addresses are stored confidentially in the PPMC's private SVN directory. 2) The AOOo security team reaches out to these contacts, as appropriate,v ia their preferred contact mechanism, to coordinate on specific vulnerabilities. We (Apache) would cc ooo-security on our external emails, as required by Apache policy [1]. 3) Other groups would be encouraged to reach out to AOOo in similar circumstances via our preferred contact mechanism, ooo-security. 4) This fully allows targeted collaboration on specific issues, via each project's preferred contact mechanism, without requiring the maintenance of an additional email list. 5) If we want to discuss security in general, then that can/should happen on public dev lists.That public discussion could occur anywhere. [1]: http://www.apache.org/security/committers.html -- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who
Re: Neutral / shared security list ...
--- On Tue, 10/25/11, Christian Lohmaier cl...@openoffice.org wrote: Hi Pedro, *, On Tue, Oct 25, 2011 at 8:42 PM, Pedro Giffuni p...@apache.org wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I fail to understand why the ASF is not considered neutral, The ASF people is not the big problem. It is having @openoffice.org or @apache.org as part of the address. You wouldn't be OK with the list being @libreoffice.org or @documentfoundation.org, would you? There is one difference: for all purposes we are what LibreOffice is about to call upstream. Whatever happens in OpenOffice.org is likely to also affect LO. Those are not neutral either. As I don't think this point is so hard to understand, I can only assume Rob is reiterating on this stuff and throwing in trust is what matters on purpose. This has nothing to do with trust. We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. So why do you think it is OK for TDF/LibreOffice to do so? LibreOffice, RedOffice, Lotus and other vendors are likely to have their own independent channels too. I am not against that but the idea is to have a single place where all OOo derivatives can share experiences and attack common problems. All of them share a quite big chunk of code and we are extending the courtesy of the united domain to everyone. (I know you're now switching from the neutrality issue to the administration part, but that once again is a different issue. Here is where trust also comes into play, but not any more than you have to trust the people who are subscribed to those lists) Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. For TDF, @apache.org or @openoffice.org would be unrelated, a different party. Thats exactly the silly part. We are calling for unity and collaboration, TDF is calling for mistrust and division. Pedro.
RE: Neutral / shared security list ...
Rob, It is an interesting social observation that distrust is not exemplary of being trustworthy. (Distrust is a kind of permission to be righteously untrustworthy, as is too easily demonstrated in world affairs as well as closer to home in regard to specific events already discussed on this list.) In my thinking, the first act of being trustworthy is being trusting of those you want to recognize you as trustworthy. Enough about that. I do want to disassociate AOOo from the ASF record over the years. That is not the AOOo record. AOOo is not even six months old. AOOo needs to establish its trustworthiness the old-fashioned way, and it is not by inheritance or even by association. Not yet. - Dennis -Original Message- From: Rob Weir [mailto:robw...@apache.org] Sent: Tuesday, October 25, 2011 09:12 To: ooo-dev@incubator.apache.org Subject: Re: Neutral / shared security list ... On Tue, Oct 25, 2011 at 11:56 AM, Florian Effenberger flo...@documentfoundation.org wrote: Hello, it is really amazing how much hot air can be produced for such a topic. Folks, it's rather easy. After the recent discussions and the history of this topic, it becomes obvious, that neutral grounds are important. Neutral grounds mean: - no domain name related to Apache, OOo, TDF or LibO - no hosting at one of these entities - members of the list from both parties (and of course other third parties that make sense) - admins of the list from both parties Sorry, but you build an incredible about of distrust in others if you express such irrational distrust in AOOo. I'd have extreme hesitation to work with anyone who exhibs such vehement distrust of an 11 year old open source foundation that produces 5 of the top 10 open source projects, and which has a stellar reputation in the industry, including its treatment of security vulnerabilities. -Rob [ ... ]
RE: Neutral / shared security list ...
Having some lists on Sourceforge makes it clear to me that you don't want to go there. My sourceforge e-mail address, the one associated with the lists, receives an incredible number of bounces of false e-mails allegedly from the list as well as crap sent to the list. It is difficult to avoid conclusion that some of this is attributable to successful hacking into the list servers. That may be in the past, but there is no visibility and accountability about it that I have found. There is a strong requirement for a vigilant host that is intolerant of lax security and that provides all of the appropriate safeguards and privacy of the kind required for a community security list. Such a list has a bulls-eye on its back and a big ATTACK ME arrow pointed at it. I recommended, and am still inclined to recommend, ASF for hosting for precisely the reasons that they are vigilant and this is also demonstrated in how they are vigilant with regard to the integrity of their code bases, the releases, and their authenticity. There is little question, to me, that ASF is likely going to outlast many alternatives for such a facility. I view this as separate from issues about governance of the list itself and the conditions for membership on the list. Because security lists are by necessity used for sensitive information, they cannot be public. The challenge is to still have tranparency and accountability over how the list is governed and operated, as a list, and who the participants (or at least, what organizations are represented, for participants who are there as representatives of particular projects). By the way, I know of no list that expects reporters to it (who also might submit packages) to have signed any kind of license agreement. Maybe that happens. I am not aware of it. I think Rob summarized the trust issues perfectly well. Since there does not appear to be a situation where blind trust is present, nor called for, the challenge is to build trust from some initial basis on which there is alignment. One case has to deal with trust in the impartiality and the serious professional conduct of the hosting organization, whatever the list is and whatever its Internet address is. I still claim that the best choice of those offered so far is ASF. Whatever other candidates for hosting are, there needs to be strong agreement on the measures that qualifies that choice that inspires mutual trust, apart from where the domain name is. - Dennis -Original Message- From: Florian Effenberger [mailto:flo...@documentfoundation.org] Sent: Tuesday, October 25, 2011 08:56 To: ooo-dev@incubator.apache.org Subject: Re: Neutral / shared security list ... Hello, it is really amazing how much hot air can be produced for such a topic. Folks, it's rather easy. After the recent discussions and the history of this topic, it becomes obvious, that neutral grounds are important. Neutral grounds mean: - no domain name related to Apache, OOo, TDF or LibO - no hosting at one of these entities - members of the list from both parties (and of course other third parties that make sense) - admins of the list from both parties I'd also avoid any of the German associations, either directly or via donations, since stakeholders at both projects are in their respective boards, which might raise concerns towards neutrality. What's so complicated to understand here? We can bury ourselves with senselessly quoting bullshit from dictionaries, wikipedia or a philospher of our choice, or finally start working on things. A concrete proposal: - We can use either FreeDesktop.org, - or in case this is seen as non-neutral as it hosts also a few TDF lists (not all), go for SourceForge. - I am also happy to ask a friend of mine who is in the business of mail server consultancy, to host that list under a neutral domain name. He hosts various lists for free projects. In case that's not neutral enough as he's a friend, I know none of the admins at SourceForge. So, is there any *compelling* reason not to try out one of these three options? Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Neutral / shared security list ...
On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote: On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote: You are welcome! I'm looking for common ground and I am trying to listen to logic. :-) So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. .. What do you think ? I think we are getting somewhere. The last detail is which is the real ML and which is the forwarder. While the AOOo project might prefer to have Fair point - for ultra-fairness we should perhaps publish two forwarding addresses - securityteam@oo.o and securityteam@tdf one each, both pointing at the neutrally hosted list. This leads to an interesting approach that can be taken by any peer. (1) There is a neutrally hosted Security ML for all Peers. Individuals are signed up representing one or more peers. The individuals are private. The peers are public. LO, AOOo, ODF Toolkit, RedOffice, Lotus Symphony, ... (2) Each peer project can maintain their own private security list. (3) Each peer project has an email forwarder that forwards email to (1) and optionally (2). (4) Each peer project should have a security page with links to any private security list and when to use the neutrally hosted / shared list. Having a public list of the peers on the shared list is essential to properly informing the user where they are sending their security report. If the peer list included links to each peer's security web page that would be helpful. A neutral domain name like office-security.org would be registered. Perhaps Team OpenOffice can help by buying the domain and setting up Mailing list hosting. I suspect that hosting details can be discussed among the securityteam@oo.o members. Regards, Dave
Re: Neutral / shared security list ...
--- On Tue, 10/25/11, Dave Fisher dave2w...@comcast.net wrote: Hi Pedro, On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I appreciate your decision to focus on the code. Project management keeps pulling me away from code ... for too many years. I fail to understand why the ASF is not considered neutral, deep inside I think the reason is simply because this year we got a bigger toy in our Christmas tree that they wanted. Hope I am wrong. Michael Meeks and Florian have been explicit today that openoffice.org as a destination is not considered neutral by the TDF. I haven't explicitly asked if an apache.org address is not sufficiently neutral ... I suspect not. I think about this as a branding decision by TDF about LO and not our business. Yes, you are right. I will keep away from any further discussion in this unintresting thread. :-P Pedro.
RE: Neutral / shared security list ...
+1 I am very much in support of the view that Dave has evolved in this discussion. The discussion is not about the private security teams each project must have to deal with its security issues and to ensure the secure operation of the dealing with security issues. If there is to be a community location for sharing concerning common vulnerabilities and security concerns among those teams, a kind of secure channel among the parties, like a multilateral hot line, some trustworthy basis for that has to be achieved. The security of our users in relying on our products and their interchange protocols and formats is paramount. Ultimately, that is the bedrock for enduring the discomfort of finding ways to accomplish this that is trustworthy for all of the participants. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 12:30 To: ooo-dev@incubator.apache.org Subject: Re: Neutral / shared security list ... Hi Pedro, On Oct 25, 2011, at 11:42 AM, Pedro Giffuni wrote: I am not in the PPMC specifically to avoid participating in this type of discussions, but I have to say this, just IMHO: I appreciate your decision to focus on the code. Project management keeps pulling me away from code ... for too many years. I fail to understand why the ASF is not considered neutral, deep inside I think the reason is simply because this year we got a bigger toy in our Christmas tree that they wanted. Hope I am wrong. Michael Meeks and Florian have been explicit today that openoffice.org as a destination is not considered neutral by the TDF. I haven't explicitly asked if an apache.org address is not sufficiently neutral ... I suspect not. I think about this as a branding decision by TDF about LO and not our business. We owe to our millions of users out there to maintain our own security channels and we cannot delegate them to a third party. Looking for an unrelated domain to handle our issues is like giving your children to your neighbors so they educate them impartially. There should be no doubt that ooo-security@i.a.o will remain as the project's security list. If there is a meta-list for security for all of the peers in the OOo / LO and the rest community. This is some confederation that shares security issues in a private manner between peers. The peers have the mutual interest of their communities in mind. If there is no interest in bringing the code bases together I think there Is not much to gain on a shared security list on the long run. There is a need for co-operation regardless of the code divergence. The code will retain significant commonality. The ODF format is a standard. There will be common security issues. One could argue that the such co-operative lists should include all of the Microsoft Office community as well. Both LO and OOo implement OOXML and the binary MS Office formats. I won't because I suspect that it is a bridge too far. Regards, Dave Pedro.
RE: Draft mailing list notification post
+1 Good eye! [For me, the first problem is to get it all written down. Then the problem is to figure out how to make it the most useful to the reader, ideally by having the biggest questions answered first. For everything but the first part (and sometimes that too), it is useful to have someone else's eye on the material.] - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 10:46 To: ooo-dev@incubator.apache.org Subject: Re: Draft mailing list notification post I wonder if this is too technically detailed. Since the recipient is a ML user that impact should be noted near the top. The information about what the ASF / podling process is all about should be at the end. Information here to go to find out about AOOo release plans would be helpful. A wiki page with updates. A link to the ooo blog. On Oct 25, 2011, at 5:57 AM, Rob Weir wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob
Re: Draft mailing list notification post
On Tue, Oct 25, 2011 at 5:57 AM, Rob Weir robw...@apache.org wrote: On the wiki here: https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post Feel free to make changes directly on the wiki, or suggest them as responses to this note. I don't think we want to overburden the reader with a recitation of migration facts, but instead motivate them to take the desired actions. But since this will be for many the first note they officially receive from the PPMC, it should probably have some introductory information, and a welcome and invitation to get involved (stay involved) with the project. -Rob I'll use the note approach. take this sentence out entirely--most users wont' know or care about the back-end technology As part of the migration to the Apache servers we will be switching from the SYMPA mailing list manager to ezmlm, which the rest of Apache uses. the rest reads OK without it. Take out Note items #1, and #4. Keep things as simple as possible would be my advice. Pretty good though. Let's just hope they actually do read the whole thing. -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who
RE: Neutral / shared security list ...
Umm, head-slap moment. I happen to be the proud owner of worthiness.org. Truly. It is not hosted, but I have been sitting on the domain name for several years. It was part of my M.Sc in IT project on Open Systems Trustworthiness. I won't go into that here. There is a reasonable capsule of where I got on the subject of trustworthiness here: http://orcmid.com/blog/2008/05/trust-but-demonstrate.asp. I stand by that. For the current conversation, it is useful to leap to the end. I have the domain so I could create an organization with regard to certification and assurance processes. I fancy tr...@worthiness.org as an identity with regard to digital signatures for attestations and counter-signing of other attestations that had been audited successfully. This can be made available for a security-community retargeting too. It is clearly INELIGIBLE for a *trustworthy* neutral HOSTING. First, if I fail to renew the domain-name lease (by disappearing from the mortal plane, or other disability), too bad. Secondly, if the hosting site I would lease anything on were to fail or be hacked, I would have no recourse. And then there is the matter of vigilance around the site, its backup, and most of all, protection of the sensitivity of the conversations that are conducted on its list. As an individual, I am not able to offer the care that is required, nor should I be relied upon to do so. So, that's how neutrality is not trustworthiness, OK? On the other hand, worthiness.org might be useful. I am rather attached to it though. - Dennis (It is difficult to find domain names with trust in them, which is why I have the peculiar TROSTing.org domain too -- that and an inability to come up with a meaningful project title that abbreviated to TRUST.) -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 13:01 To: ooo-dev@incubator.apache.org Subject: Re: Neutral / shared security list ... On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote: On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote: You are welcome! I'm looking for common ground and I am trying to listen to logic. :-) So where does that leave us ? one approach that hasn't been discussed (and is perhaps a good compromise) - is for me to go ahead and setup the list @freedesktop, and for you guys to advertise the @ooo alias on your pages, and us to advertise the freedesktop one on ours. .. What do you think ? I think we are getting somewhere. The last detail is which is the real ML and which is the forwarder. While the AOOo project might prefer to have Fair point - for ultra-fairness we should perhaps publish two forwarding addresses - securityteam@oo.o and securityteam@tdf one each, both pointing at the neutrally hosted list. This leads to an interesting approach that can be taken by any peer. (1) There is a neutrally hosted Security ML for all Peers. Individuals are signed up representing one or more peers. The individuals are private. The peers are public. LO, AOOo, ODF Toolkit, RedOffice, Lotus Symphony, ... (2) Each peer project can maintain their own private security list. (3) Each peer project has an email forwarder that forwards email to (1) and optionally (2). (4) Each peer project should have a security page with links to any private security list and when to use the neutrally hosted / shared list. Having a public list of the peers on the shared list is essential to properly informing the user where they are sending their security report. If the peer list included links to each peer's security web page that would be helpful. A neutral domain name like office-security.org would be registered. Perhaps Team OpenOffice can help by buying the domain and setting up Mailing list hosting. I suspect that hosting details can be discussed among the securityteam@oo.o members. Regards, Dave
Mailing list user migration: Staging and volunteers
A quick summary of where we are, in case you haven't been following the previous threads. Information on the top 100 legacy mailing lists is on the wiki [1]. A draft note that will be sent to these lists is an another page [2]. If you note in that first page, the Migration Owner column is blank. So either I need to quickly learn French, Dutch and Japanese, or I need some help here. Volunteers would translate the note, send it to the relevant NL lists, and be available on those lists to answer any migration-related questions. Ideally you would already be a participant on the lists and familiar to that community. As for staging, I'd recommend that we do not do this all at once. Migrating 100 lists at once would be very messy. But we can easily break this down into related groups of lists and do the migration over a few weeks. One possible staging would be: 1) All the lists that will be merged into the new ooo-marketing list. This will help jump start that lists important work, and bring community members into the discussion who might not have been interested in the other topics we've been discussing on ooo-dev. 2) All of the lists that will be merged into ooo-dev 3) All of the lists that will be merged into ooo-users 4) NL lists (which could be done in parallel with the above. However, they will require some discussion and admin work to create new ooo-lang lists,) The thought behind this staging is that we work out the kinks with the more technical and (hopefully) more forgiving project lists, before moving on to the user and NL lists. We can adjust the instructions and messaging based on what we learn from the initial migrations. Regards, -Rob [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists [2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post
Re: Neutral / shared security list ...
Hello Ian, Ian Lynch wrote on 2011-10-25 19:18: Well babies are usually made from love and tenderness (unless it's a mistake) and I don't see too much of that in this approach. At least to get started why not do it on a neutral list? Florian has made a perfectly reasonable case for it. Is that so much to give up just to get something going? In terms of baby making I'd say we need some serious marriage guidance before even talking about getting in bed together never mind wrapping anything in latex. thank you for being reasonable and seeing what my proposal intends -- really, that's truly appreciated. Seeing all those proposals coming in -- no list at all, everyone forwards to each other etc. -- simply makes no sense. It creates overhead, it makes things slow, and that just for the sake of not agreeing to a simple proposal, it feels. To sum up my proposal again: If we are on neutral grounds, nobody loses anything, but we all can win. It is not about telling any entity is not trustworthy enough -- it simply is the easiest solution for a topic that has been cooking for weeks now. The easiest solution -- and anyone with common sense should agree -- is to have a shared list on neutral grounds. Not involving ASF, AOOo, TeamOOo, neither TDF, LibO, FrODeV. That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: Mailing list user migration: Staging and volunteers
On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenk kay.sch...@gmail.com wrote: On Tue, Oct 25, 2011 at 2:30 PM, Rob Weir robw...@apache.org wrote: A quick summary of where we are, in case you haven't been following the previous threads. Information on the top 100 legacy mailing lists is on the wiki [1]. A draft note that will be sent to these lists is an another page [2]. If you note in that first page, the Migration Owner column is blank. So either I need to quickly learn French, Dutch and Japanese, or I need some help here. Volunteers would translate the note, send it to the relevant NL lists, and be available on those lists to answer any migration-related questions. Ideally you would already be a participant on the lists and familiar to that community. As for staging, I'd recommend that we do not do this all at once. Migrating 100 lists at once would be very messy. But we can easily break this down into related groups of lists and do the migration over a few weeks. One possible staging would be: 1) All the lists that will be merged into the new ooo-marketing list. This will help jump start that lists important work, and bring community members into the discussion who might not have been interested in the other topics we've been discussing on ooo-dev. 2) All of the lists that will be merged into ooo-dev 3) All of the lists that will be merged into ooo-users 4) NL lists (which could be done in parallel with the above. However, they will require some discussion and admin work to create new ooo-lang lists,) The thought behind this staging is that we work out the kinks with the more technical and (hopefully) more forgiving project lists, before moving on to the user and NL lists. We can adjust the instructions and messaging based on what we learn from the initial migrations. Regards, -Rob Have the new NL lists been setup already? I may have missed that and I haven't look at any jira tix. No NL lists yet, except for Japanese. We need moderator volunteers before we can request them. Process for getting a new mailing list created is here: http://www.apache.org/dev/committers.html#new-mailing-list Probably makes sense to start with the largest NL communities first? [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists [2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who
Re: Mailing list user migration: Staging and volunteers
On 10/25/2011 2:43 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenkkay.sch...@gmail.com wrote: On Tue, Oct 25, 2011 at 2:30 PM, Rob Weirrobw...@apache.org wrote: A quick summary of where we are, in case you haven't been following the previous threads. Information on the top 100 legacy mailing lists is on the wiki [1]. A draft note that will be sent to these lists is an another page [2]. If you note in that first page, the Migration Owner column is blank. So either I need to quickly learn French, Dutch and Japanese, or I need some help here. Volunteers would translate the note, send it to the relevant NL lists, and be available on those lists to answer any migration-related questions. Ideally you would already be a participant on the lists and familiar to that community. As for staging, I'd recommend that we do not do this all at once. Migrating 100 lists at once would be very messy. But we can easily break this down into related groups of lists and do the migration over a few weeks. One possible staging would be: 1) All the lists that will be merged into the new ooo-marketing list. This will help jump start that lists important work, and bring community members into the discussion who might not have been interested in the other topics we've been discussing on ooo-dev. 2) All of the lists that will be merged into ooo-dev 3) All of the lists that will be merged into ooo-users 4) NL lists (which could be done in parallel with the above. However, they will require some discussion and admin work to create new ooo-lang lists,) The thought behind this staging is that we work out the kinks with the more technical and (hopefully) more forgiving project lists, before moving on to the user and NL lists. We can adjust the instructions and messaging based on what we learn from the initial migrations. Regards, -Rob Have the new NL lists been setup already? I may have missed that and I haven't look at any jira tix. No NL lists yet, except for Japanese. We need moderator volunteers before we can request them. Process for getting a new mailing list created is here: http://www.apache.org/dev/committers.html#new-mailing-list Probably makes sense to start with the largest NL communities first? Have we considered having a list for 'un-represented languages'? If a user does not find their language, where do they go? Posting to the English list or ooo-dev in another language is frowned on. This is a bootstrapping question. Where can a community go to say that they exist, have a need, and would like to create a list. I understand we don't want to create dead lists, and don't want to create a list that cannot be self sustainable, but it seems like there is a gap here for bringing in new communities. [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists [2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who -- Andrew Rist | Interoperability Architect OracleCorporate Architecture Group Redwood Shores, CA | 650.506.9847
RE: [proposal] Neutral / shared security list ...
Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Simon Phipps +1 415 683 7660 : www.webmink.com
Re: [proposal] Neutral / shared security list ...
Dennis, I've gone as far as I want with this for now. I'll see what people say on this existing thread. I have no desire to fight a formality battle with Rob and his other, non-co-operative [proposal]. I put enough time today into diplomacy. Regards, Dave On Oct 25, 2011, at 3:44 PM, Dennis E. Hamilton wrote: Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Simon Phipps +1 415 683 7660 : www.webmink.com
[CODE] Review i104788 - framework::DropdownToolbarController: dispatch does not get selected item text
Hi there, can someone in the know of framework/API stuff review i104788? https://issues.apache.org/ooo/show_bug.cgi?id=104788 The issue is 2 years old, and the fix is rather simple. Regards -- Ariel Constenla-Haile La Plata, Argentina pgp9kZqQHiSQY.pgp Description: PGP signature
Re: Neutral / shared security list ...
I will drop off this thread after this post, as it seems that things are working toward a solution. I would suggest though that it is rather frustrating to see all of this ink and blood spilt over what seems to be a misunderstanding. --continued inline -- On 10/25/2011 3:40 PM, Florian Effenberger wrote: Hi, Andrew Rist wrote on 2011-10-26 00:34: I do not understand why this is easier than continuing on the existing list. when I asked that last time, I heard various replies: - You need to be an iCLA signer to be on that list. You don't - you never have. This list has been in existence for several years, and this has not changed. - You need to be an Apache contributor to be on that list. You don't - you never have. This list has been in existence for several years, and this has not changed. - We have no administrative access to that list. This had not been an issue to date - it seems that this is solvable, and a way to create trust between the communities. I'll add another issue that has been thrown out - people getting thrown off the list or excluded This also has not happened. Thus, it is a bit frustrating to listen to this conversation and the search for a cure to a problem that may not have actually ever existed. /rant Andrew In the meantime, a bunch of other proposals have come in. Looking at the history of this issue (Michael outlined it very well), I think a neutral, trusted ground is the best way to cooperate in this matter. And again, I think everyone benefits the same from my proposal, with no one overly preferred, and nobody losing anything. It demands the same from everyone. Florian -- Andrew Rist | Interoperability Architect OracleCorporate Architecture Group Redwood Shores, CA | 650.506.9847
RE: [proposal] Neutral / shared security list ...
Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Simon Phipps +1 415 683 7660 : www.webmink.com
[CODE] Review i118519 and i118520 - gtk quickstarter and libegg
Hi there, can someone in the know of framework/gtk stuff please review patches attached to https://issues.apache.org/ooo/show_bug.cgi?id=118519 and https://issues.apache.org/ooo/show_bug.cgi?id=118520 Regards -- Ariel Constenla-Haile La Plata, Argentina pgpuGZjVreNys.pgp Description: PGP signature
Re: Neutral / shared security list ...
On Tue, Oct 25, 2011 at 6:40 PM, Florian Effenberger flo...@documentfoundation.org wrote: Hi, Andrew Rist wrote on 2011-10-26 00:34: I do not understand why this is easier than continuing on the existing list. when I asked that last time, I heard various replies: Oh, Florian, you have either misread or have been mislead. Every one of these points is false. If you really had this impression, there is a tragic misunderstanding here. - You need to be an iCLA signer to be on that list. False. No iCLA is required to participate on the list. It never was before and no one has suggested adding that requirement. Where exactly did you read this? - You need to be an Apache contributor to be on that list. False. Where exactly did you read this? - We have no administrative access to that list. False. We've offered to allow TDF/LO moderators. In the meantime, a bunch of other proposals have come in. Looking at the history of this issue (Michael outlined it very well), I think a neutral, trusted ground is the best way to cooperate in this matter. And again, I think everyone benefits the same from my proposal, with no one overly preferred, and nobody losing anything. It demands the same from everyone. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: [proposal] Neutral / shared security list ...
On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? It would be good to also include in the proposal how IP will be treated. By my reading of the iCLA this would not be covered, since it is not an Apache list. We'd need to make some other agreement, take it to legal-discuss, etc. I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Simon Phipps +1 415 683 7660 :
Re: Mailing list user migration: Staging and volunteers
On Tue, Oct 25, 2011 at 2:43 PM, Rob Weir robw...@apache.org wrote: On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenk kay.sch...@gmail.com wrote: On Tue, Oct 25, 2011 at 2:30 PM, Rob Weir robw...@apache.org wrote: A quick summary of where we are, in case you haven't been following the previous threads. Information on the top 100 legacy mailing lists is on the wiki [1]. A draft note that will be sent to these lists is an another page [2]. If you note in that first page, the Migration Owner column is blank. So either I need to quickly learn French, Dutch and Japanese, or I need some help here. Volunteers would translate the note, send it to the relevant NL lists, and be available on those lists to answer any migration-related questions. Ideally you would already be a participant on the lists and familiar to that community. As for staging, I'd recommend that we do not do this all at once. Migrating 100 lists at once would be very messy. But we can easily break this down into related groups of lists and do the migration over a few weeks. One possible staging would be: 1) All the lists that will be merged into the new ooo-marketing list. This will help jump start that lists important work, and bring community members into the discussion who might not have been interested in the other topics we've been discussing on ooo-dev. 2) All of the lists that will be merged into ooo-dev 3) All of the lists that will be merged into ooo-users 4) NL lists (which could be done in parallel with the above. However, they will require some discussion and admin work to create new ooo-lang lists,) The thought behind this staging is that we work out the kinks with the more technical and (hopefully) more forgiving project lists, before moving on to the user and NL lists. We can adjust the instructions and messaging based on what we learn from the initial migrations. Regards, -Rob Have the new NL lists been setup already? I may have missed that and I haven't look at any jira tix. No NL lists yet, except for Japanese. We need moderator volunteers before we can request them. Process for getting a new mailing list created is here: http://www.apache.org/dev/committers.html#new-mailing-list Probably makes sense to start with the largest NL communities first? OK, thanks, I need to think about this...a good approach, etc. [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists [2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who
Re: Neutral / shared security list ...
On Wed, Oct 26, 2011 at 12:22 AM, Rob Weir robw...@apache.org wrote: On Tue, Oct 25, 2011 at 6:18 PM, Simon Phipps si...@webmink.com wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. At Apache we make proposals and seek lazy consensus, typically 72 hours. I see nothing urgent here that would make us bypass that part of our decision making process. Is this addressed to me or to someone else, Rob? I haven't seen anyone suggesting any process be bypassed, so I am very confused by this statement. I look forward to reading the specifics of your proposal. I've made mine. -Rob It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. Could the TDF be the ISP? Isn't that for you to say? I agree it is not the main issue. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. Are we done already :-) Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff -- Simon Phipps +1 415 683 7660 : www.webmink.com -- Simon Phipps +1 415 683 7660 : www.webmink.com
Re: [proposal] Neutral / shared security list ...
On Oct 25, 2011, at 4:01 PM, Dennis E. Hamilton wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? The assumption is that whoever we have on ooo-security that is on securityteam@oo.o will be the PPMC's agent on securityteam@oo.o and its neutral successor. Should securityteam@oo.o suddenly be acceptable then the plan is simplified. I think that would be essential to bringing this to a successful conclusion. Yes. Regards, Dave -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible waste of time, it's lame, it does not help anyone, and it makes me doubt we're talking amongst adults, seriously. And, really, all this crap being tossed around about trustworthiness, upstream, downstream, code similarities and insults is worth not even the digital paper it's written on. I made a simple, plain, and easy proposal. Don't make things overly complicated, folks. Thanks for considering, Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff |
RE: Neutral / shared security list ...
Andrew, I think part of the confusion is from the discussion leading up to the creation of ooo-security and some related discussion about why securityteam@ was not enough at that time. Without getting into the he-said,she-said part of it, that seems to be the origin. There was more when the TDF announcement about a CVE came up and securityteam@ was discussed in that context. In the face of that, I think it is essential that there be a trustworthy statement to the effect that none of the things that have not happened will also not happen when ASF has custody. Absent that, this situation continues. Perhaps even despite that. But such an ASF-backed [PPMC] declaration would accomplish a great deal, it seems to me. - Dennis -Original Message- From: Andrew Rist [mailto:andrew.r...@oracle.com] Sent: Tuesday, October 25, 2011 15:59 To: ooo-dev@incubator.apache.org Subject: Re: Neutral / shared security list ... I will drop off this thread after this post, as it seems that things are working toward a solution. I would suggest though that it is rather frustrating to see all of this ink and blood spilt over what seems to be a misunderstanding. --continued inline -- On 10/25/2011 3:40 PM, Florian Effenberger wrote: Hi, Andrew Rist wrote on 2011-10-26 00:34: I do not understand why this is easier than continuing on the existing list. when I asked that last time, I heard various replies: - You need to be an iCLA signer to be on that list. You don't - you never have. This list has been in existence for several years, and this has not changed. - You need to be an Apache contributor to be on that list. You don't - you never have. This list has been in existence for several years, and this has not changed. - We have no administrative access to that list. This had not been an issue to date - it seems that this is solvable, and a way to create trust between the communities. I'll add another issue that has been thrown out - people getting thrown off the list or excluded This also has not happened. Thus, it is a bit frustrating to listen to this conversation and the search for a cure to a problem that may not have actually ever existed. /rant Andrew In the meantime, a bunch of other proposals have come in. Looking at the history of this issue (Michael outlined it very well), I think a neutral, trusted ground is the best way to cooperate in this matter. And again, I think everyone benefits the same from my proposal, with no one overly preferred, and nobody losing anything. It demands the same from everyone. Florian -- Andrew Rist | Interoperability Architect OracleCorporate Architecture Group Redwood Shores, CA | 650.506.9847
Re: [proposal] Neutral / shared security list ...
On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? It would be good to also include in the proposal how IP will be treated. By my reading of the iCLA this would not be covered, since it is not an Apache list. We'd need to make some other agreement, take it to legal-discuss, etc. I'm not so sure. ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible. If the shared security group is not producing compatible IP in response to a security threat that is a different problem. If it happens often then ooo-security will need to discuss this with ooo-private. We can make it a mission statement of this group to help all the peers produce fixes that are compatible with their licenses. I don't think we can guarantee all individuals on the team will be able to always do so. Requiring such an affirmation is clearly a blocker for some individual's participation. Regards, Dave I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we
RE: [proposal] Neutral / shared security list ...
+1 along with, as Rob mentioned, whatever legal and security@ apache.org review is needed from ASF for us to conduct the securityteam@ OO.o list that way, if that is the case. I am thinking this is not so difficult. Having ooo-security@ representatives at a different location is probably even less difficult in that respect. In any case, having feedback from those parties during your [DISCUSS] would be helpful. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 16:12 To: dennis.hamil...@acm.org Cc: ooo-dev@incubator.apache.org Subject: Re: [proposal] Neutral / shared security list ... On Oct 25, 2011, at 4:01 PM, Dennis E. Hamilton wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? The assumption is that whoever we have on ooo-security that is on securityteam@oo.o will be the PPMC's agent on securityteam@oo.o and its neutral successor. Should securityteam@oo.o suddenly be acceptable then the plan is simplified. I think that would be essential to bringing this to a successful conclusion. Yes. Regards, Dave -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-) /insert The proposal is for the exiting securityteam to choose, the above are two possibilities. securityteam@oo.o is migrated to whatever the new list is, and those people start administrating. I think it is very important for the public to know who all of the projects are on the shared ML. I propose that this shared security team provide a list of participating peers to the public. Are we done already :-) Let's let the world revolve to see if we have some Consensus. Revolve 3x or 72 hours. Regards, Dave Regards, Dave Regards, Dave That is fair to anyone, does not exclude anyone, does not benefit one over the other -- it's easy, simple, and the best way to go. Sure, everyone can create own aliases pointing to that list, but the core is the same, and that's what matters. If you folks now start complaining about we don't trust Apache, we can answer by complaining you don't trust TDF and so on. It's a horrible
Re: Neutral / shared security list ...
Hi, Andrew Rist wrote on 2011-10-26 00:58: I will drop off this thread after this post, as it seems that things are working toward a solution. I indeed hope for a solution soon. Too much time has been wasted already, rather than working productively, so if we really would move towards a solution, I'd applaud that. I would suggest though that it is rather frustrating to see all of this ink and blood spilt over what seems to be a misunderstanding. Well, if I recall, my initial proposal has been to simply keep things as is, with the existing list, the contacts on it, and the way things worked. I was told that this does not fit to the Apache way and does not work, that separate lists are required and so on and so on. I was proposing the easiest way in the beginning, it was not desired for some formal/philosophical/whatever reason. I tried again this time with proposing a neutral, trustworthy third-party to host things, hoping this will be accepted by all parties. Let's see how this turns out. Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
RE: [proposal] Neutral / shared security list ...
It seems to me that sharing fixes is not nearly as crucial as sharing identification of vulnerabilities and a little hobnobbing on how the vulnerability will be made known when it exists in more than one project's releases. There might not be coordinated patching and releasing. It all depends. It might not be one-patch fixes all. Contribution of a patch that is worked up can be dealt with in a concrete case. The idea is that this is a cooperative activity and we'll do the right thing. (I found out how to put we in my messages and route around my auto-corrector objection.) But this is about what is likely to happen. The question, for now, is having the shared forum or not. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 16:20 To: ooo-dev@incubator.apache.org Subject: Re: [proposal] Neutral / shared security list ... On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? It would be good to also include in the proposal how IP will be treated. By my reading of the iCLA this would not be covered, since it is not an Apache list. We'd need to make some other agreement, take it to legal-discuss, etc. I'm not so sure. ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible. If the shared security group is not producing compatible IP in response to a security threat that is a different problem. If it happens often then ooo-security will need to discuss this with ooo-private. We can make it a mission statement of this group to help all the peers produce fixes that are compatible with their licenses. I don't think we can guarantee all individuals on the team will be able to always do so. Requiring such an affirmation is clearly a blocker for some individual's participation. Regards, Dave I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that such a list as outlined by me is a way to go, I am happy to ask a friend of mine who has a very good reputation in being a mail server, mailing list and security expert, with a very good track record, including all sorts of certifications. He is offering e-mail services as business. I just don't want to spread the name publically without asking him first, and I don't want to ask him, before we have some common understanding. :-)
Re: [proposal] Neutral / shared security list ...
On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher dave2w...@comcast.net wrote: On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? It would be good to also include in the proposal how IP will be treated. By my reading of the iCLA this would not be covered, since it is not an Apache list. We'd need to make some other agreement, take it to legal-discuss, etc. I'm not so sure. Think of it this way: where else at Apache is it permissible for an Incubation project to collaborate on project code on a private non-Apache list, with no agreement on license, no mentor visibility, and no audit trail for Apache members to inspect? This doesn't sound like the kind of diligence Apache projects traditionally give to IP issues everywhere else. We owe it to our users and ourselves to get this right. ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible. If the shared security group is not producing compatible IP in response to a security threat that is a different problem. If it happens often then ooo-security will need to discuss this with ooo-private. Putting the responsibility on ooo-security members in such an untenable situation will only lead to the resignation of ooo-security members. I think we need some way to enforce this. From what I'm reading, not even Apache committers who have signed the iCLA are bound to the iCLA for contributions made on some ad-hoc, private, non-Apache list. We can make it a mission statement of this group to help all the peers produce fixes that are compatible with their licenses. I don't think we can guarantee all individuals on the team will be able to always do so. Requiring such an affirmation is clearly a blocker for some individual's participation. I think then we need to weight having a smashing fun party with LO hackers in a private, unauditable list with no license discipline versus Apache's primary mission of producing software for public use under the Apache 2.0 license. The alternative is to step back, realize that Florian has confused what the PPMC position is on securityteam participation and take that route. Since that would be an Apache list, AOOo committers would already be covered. And we could cover the remaining users via a Terms of Use statement for the list. -Rob Regards, Dave I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been the volunteer registrar for a social groups domain, it is a pain to transition. This needs to be an institution, it could be Team OOo? I think they are too close to the matter. SPI exists specifically to hold assets in trust - perhaps they would hold the registration for us all? If we agree I'd be happy to volunteer to contact them. It's also possible we could ask OSI to do it - Jim Jagielski and I are both on the Board at present. These are both interesting ideas. The proposal is to pick a domain and get registration Simon volunteers to help. An ISP for hosting the private ML needs to be selected. Dennis suggests that the ASF could be that ISP for free. slight snip/ And: insert On Oct 25, 2011, at 2:51 PM, Florian Effenberger wrote: snip/ If we basically agree that
Re: Neutral / shared security list ...
On Oct 25, 2011, at 4:25 PM, Florian Effenberger wrote: Hi, Andrew Rist wrote on 2011-10-26 00:58: I will drop off this thread after this post, as it seems that things are working toward a solution. I indeed hope for a solution soon. Too much time has been wasted already, rather than working productively, so if we really would move towards a solution, I'd applaud that. I would suggest though that it is rather frustrating to see all of this ink and blood spilt over what seems to be a misunderstanding. Well, if I recall, my initial proposal has been to simply keep things as is, with the existing list, the contacts on it, and the way things worked. I was told that this does not fit to the Apache way and does not work, that separate lists are required and so on and so on. I was proposing the easiest way in the beginning, it was not desired for some formal/philosophical/whatever reason. There were a lot of conflicting remarks. I tried again this time with proposing a neutral, trustworthy third-party to host things, hoping this will be accepted by all parties. Let's see how this turns out. Let us know if securityteam@oo.o is now preferred. Otherwise you can see my proposal which I think is essentially yours. Regards, Dave Florian -- Florian Effenberger flo...@documentfoundation.org Steering Committee and Founding Member of The Document Foundation Tel: +49 8341 99660880 | Mobile: +49 151 14424108 Skype: floeff | Twitter/Identi.ca: @floeff
Re: [proposal] Neutral / shared security list ...
On Oct 25, 2011, at 4:43 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 7:19 PM, Dave Fisher dave2w...@comcast.net wrote: On Oct 25, 2011, at 4:05 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 7:01 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Oh, and the most important part: In want way is the AOOo party to the consensus that is reached? That ooo-security (an agent of the PPMC, essentially) will participate in the described community arrangement if established? Something else? It would be good to also include in the proposal how IP will be treated. By my reading of the iCLA this would not be covered, since it is not an Apache list. We'd need to make some other agreement, take it to legal-discuss, etc. I'm not so sure. Think of it this way: where else at Apache is it permissible for an Incubation project to collaborate on project code on a private non-Apache list, with no agreement on license, no mentor visibility, and no audit trail for Apache members to inspect? This doesn't sound like the kind of diligence Apache projects traditionally give to IP issues everywhere else. We owe it to our users and ourselves to get this right. We only care about the code that actually makes it into AOOo. Only ooo-security members will be committing code fixes for AOOo security issues. ooo-security is responsible for assuring that security fixes for AOOo are AL2 compatible. If the shared security group is not producing compatible IP in response to a security threat that is a different problem. If it happens often then ooo-security will need to discuss this with ooo-private. Putting the responsibility on ooo-security members in such an untenable situation will only lead to the resignation of ooo-security members. I think we need some way to enforce this. If it becomes a problem then we deal with it on ooo-private as a community problem. Either we'll need more PPMC on ooo-security or there will be a tangible issue to resolve. From what I'm reading, not even Apache committers who have signed the iCLA are bound to the iCLA for contributions made on some ad-hoc, private, non-Apache list. So? We can make it a mission statement of this group to help all the peers produce fixes that are compatible with their licenses. I don't think we can guarantee all individuals on the team will be able to always do so. Requiring such an affirmation is clearly a blocker for some individual's participation. I think then we need to weight having a smashing fun party with LO hackers in a private, unauditable list with no license discipline versus Apache's primary mission of producing software for public use under the Apache 2.0 license. Code through Community. I'm trying to find a way to keep the larger community together. You are asserting that the list will be unauditable when the ASF is still a possible ISP? You are asserting a smashing fun party problem that is not visible to me. The alternative is to step back, realize that Florian has confused what the PPMC position is on securityteam participation and take that route. Since that would be an Apache list, AOOo committers would already be covered. And we could cover the remaining users via a Terms of Use statement for the list. I'm trying to get there, but let's not forget that others have raised the domain neutrality requirement. Regards, Dave -Rob Regards, Dave I think that would be essential to bringing this to a successful conclusion. -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Tuesday, October 25, 2011 15:45 To: 'ooo-dev@incubator.apache.org' Cc: 'Dave Fisher' Subject: RE: [proposal] Neutral / shared security list ... Dave, if you are going to do that, just relabeling a thread is not helpful. Please compose a specific concrete proposal under a [DISCUSS], and announce the duration and end-time for a lazy consensus at the top. Give it at least 3 full 24-hour calendar days. I don't have any sense that there is alignment yet, but there may be in that time and I am happy to be mistaken. Then at the end, if there is a consensus, please report what it is. - Dennis -Original Message- From: Dave Fisher [mailto:dave2w...@comcast.net] Sent: Tuesday, October 25, 2011 15:35 To: ooo-dev@incubator.apache.org Cc: flo...@documentfoundation.org Subject: Re: [proposal] Neutral / shared security list ... Hi - Sorry to reply to myself. Even though there are choices in this email. Please view it as a proposal. Where we are seeking lazy consensus. On Oct 25, 2011, at 3:26 PM, Dave Fisher wrote: On Oct 25, 2011, at 3:18 PM, Simon Phipps wrote: On Wed, Oct 26, 2011 at 12:04 AM, Dave Fisher dave2w...@comcast.net wrote: Agreed. We need to pick a neutral domain name. office-security.org is apparently free. Some institution needs to buy domain registration. I've been
Re: Mailing list user migration: Staging and volunteers
On Tue, Oct 25, 2011 at 6:43 PM, Andrew Rist andrew.r...@oracle.com wrote: On 10/25/2011 2:43 PM, Rob Weir wrote: On Tue, Oct 25, 2011 at 5:36 PM, Kay Schenkkay.sch...@gmail.com wrote: On Tue, Oct 25, 2011 at 2:30 PM, Rob Weirrobw...@apache.org wrote: A quick summary of where we are, in case you haven't been following the previous threads. Information on the top 100 legacy mailing lists is on the wiki [1]. A draft note that will be sent to these lists is an another page [2]. If you note in that first page, the Migration Owner column is blank. So either I need to quickly learn French, Dutch and Japanese, or I need some help here. Volunteers would translate the note, send it to the relevant NL lists, and be available on those lists to answer any migration-related questions. Ideally you would already be a participant on the lists and familiar to that community. As for staging, I'd recommend that we do not do this all at once. Migrating 100 lists at once would be very messy. But we can easily break this down into related groups of lists and do the migration over a few weeks. One possible staging would be: 1) All the lists that will be merged into the new ooo-marketing list. This will help jump start that lists important work, and bring community members into the discussion who might not have been interested in the other topics we've been discussing on ooo-dev. 2) All of the lists that will be merged into ooo-dev 3) All of the lists that will be merged into ooo-users 4) NL lists (which could be done in parallel with the above. However, they will require some discussion and admin work to create new ooo-lang lists,) The thought behind this staging is that we work out the kinks with the more technical and (hopefully) more forgiving project lists, before moving on to the user and NL lists. We can adjust the instructions and messaging based on what we learn from the initial migrations. Regards, -Rob Have the new NL lists been setup already? I may have missed that and I haven't look at any jira tix. No NL lists yet, except for Japanese. We need moderator volunteers before we can request them. Process for getting a new mailing list created is here: http://www.apache.org/dev/committers.html#new-mailing-list Probably makes sense to start with the largest NL communities first? Have we considered having a list for 'un-represented languages'? If a user does not find their language, where do they go? Posting to the English list or ooo-dev in another language is frowned on. This is a bootstrapping question. Where can a community go to say that they exist, have a need, and would like to create a list. There are some words of wisdom in the Committer's FAQ [1] regarding user lists: WARNING: the creation of a user mail list can be a very dangerous thing for a community if the developers don't pay attention to their users and if users don't have developers that reply to their emails. Sure, active developers should expect a well behaving user community to reply to one another for simple questions, but this doesn't happen overnight and the creation of a user mail list alone can turn into a very harmful change. So I think we would want to consider on each request whether we have sufficient interest to have a self-supporting user support community. Having an existing committer who speaks the language is great. Having a number of power users is also good. But having users asking questions and getting no answers --- that would reflect poorly on the project. That said, I have absolutely no idea how would determine this for a new list. For existing lists I think we can look at the archives and see how much traffic they are getting, whether questions are being answered, etc. But if someone requests a Klingon list, how do we know if there is a sufficient community behind it? As for where to ask, I think that is ooo-dev by default, and the request would need to be made in English or some other language that we can figure out how to translate. [1]: http://www.apache.org/dev/committers.html#new-mailing-list I think that would be ooo-dev, in a language that ooo-dev is essentially the central list for the project, in terms of announcements, posting project-wide proposals, etc. I understand we don't want to create dead lists, and don't want to create a list that cannot be self sustainable, but it seems like there is a gap here for bringing in new communities. [1] https://cwiki.apache.org/confluence/display/OOOUSERS/Mailing+lists [2] https://cwiki.apache.org/confluence/display/OOOUSERS/Email+Migration+Post -- --- MzK This is no social crisis Just another tricky day for you. -- Tricky Day, the Who -- Andrew Rist | Interoperability Architect OracleCorporate Architecture Group Redwood Shores, CA | 650.506.9847