Hi Andre,
On Jul 29, 2011, at 7:50 AM, André Schnabel wrote:
>> I must confess I find it really strange that policies seem to be changed
>> here.
>>
>> We had a good team at OpenOffice.org
>
> Well .. this is not OpenOffice.org, this is Apache. ;)
first, I thought this is ironic note, but
Hi Florian,
Am 28.07.2011 23:41, schrieb Florian Effenberger:
Hello,
Dennis E. Hamilton wrote on 2011-07-28 22:04:
I support Malte's recommendation to add two individuals that are
currently in-common with respect to OpenOffice.org (traditional) and
LibreOffice.
I must confess I find it rea
Ok, Rob, If it is a case 1 scenario, then sure, it makes no sense to
publicize it.
"Oops, I just opened a security hole, I oughta tweet that."
Lol
Wolf
On Jul 28, 2011 7:24 PM, "Rob Weir" wrote:
> On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton
wrote:
>> One of the things I think proprietary proj
There's a story, perhaps apocryphal (i.e., like the bicycle shed story), about
Tom Watson approaching a Sr.VP for Human Resources in a hallway and asking how
college students get summer jobs at IBM. The Sr.VP said he'd get back to him.
I will say no more. You might imagine how this went South
I'll add my +1 as a mentor (i.e. not a committer) to Rob's general
suggestions.
Personally, I would be uncomfortable to have non-PPMC or Apache Security
team members on the ooo-security@ list. This is a list for this project
to become aware of potential security issues, and to quickly review
Apache RAT is in the incubator, and some projects use it to do source
code license checking and the like:
http://incubator.apache.org/rat/
Note that the committers repository has two directories with other, much
simpler (but possibly useful) tools about checking or changing licenses
or other
> -Original Message-
> From: Rob Weir [mailto:apa...@robweir.com]
> Sent: Friday, 29 July 2011 11:25 AM
> To: ooo-dev@incubator.apache.org
> Subject: Re: Population of ooo-security
>
>
> That raises some questions:
>
> A) How does one engage with the Apache Security team for "help a
On Thu, Jul 28, 2011 at 7:51 PM, Dave Fisher wrote:
>
> On Jul 28, 2011, at 4:23 PM, Rob Weir wrote:
>
>> On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton wrote:
>>> One of the things I think proprietary projects are wrong about is treating
>>> bugs, including security bugs, as secret private things.
On Jul 28, 2011, at 3:43 PM, Dennis E. Hamilton wrote:
> My question is not about the code developed at ASF but the one for folks "own
> use" of the Apache license.
>
> I assume that the same applies because you'd want to see those if the code
> were donated to Apache.
>
> I will take on th
On Jul 28, 2011, at 4:23 PM, Rob Weir wrote:
> On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton wrote:
>> One of the things I think proprietary projects are wrong about is treating
>> bugs, including security bugs, as secret private things. The best security
>> solution we have is the number of eyes
On Thu, Jul 28, 2011 at 6:43 PM, Dennis E. Hamilton
wrote:
> Florian, we are all learning over here.
>
> There are practices that the ASF has around security and how reports to
> security are handled and the Apache ooo PPMC is working to comprehend how to
> do this properly. We're still working
On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton wrote:
> One of the things I think proprietary projects are wrong about is treating
> bugs, including security bugs, as secret private things. The best security
> solution we have is the number of eyes we allow to see the problems. I think
> emulating t
One of the things I think proprietary projects are wrong about is treating
bugs, including security bugs, as secret private things. The best security
solution we have is the number of eyes we allow to see the problems. I think
emulating the paranoia is a mistake. Security-related bugs should go to
Florian, we are all learning over here.
There are practices that the ASF has around security and how reports to
security are handled and the Apache ooo PPMC is working to comprehend how to do
this properly. We're still working out how this is all meant to work and how
we deal with the fact tha
My question is not about the code developed at ASF but the one for folks "own
use" of the Apache license.
I assume that the same applies because you'd want to see those if the code were
donated to Apache.
I will take on the practice.
- Dennis
-Original Message-
From: Greg Stein [ma
On Thu, Jul 28, 2011 at 6:01 PM, Simon Phipps wrote:
> Another even simpler alternative would be to host the community security list
> elsewhere where these bureaucratic obstacles do not exist. I'd be happy to
> arrange that and ensure all of the relevant parties are freely able to
> participat
We have processes, but we don't stick to them blindly.
Rob Weir wrote on Thu, Jul 28, 2011 at 18:17:14 -0400:
> On Thu, Jul 28, 2011 at 5:41 PM, Florian Effenberger
> wrote:
> > Hello,
> >
> > Dennis E. Hamilton wrote on 2011-07-28 22:04:
> >>
> >> I support Malte's recommendation to add two indi
You may want to CC security@ on this discussion at some point...
Dennis E. Hamilton wrote on Wed, Jul 27, 2011 at 18:23:29 -0700:
> Now that we've confirmed that the ooo-security list exists and the three
> moderators appear to be subscribers, I believe the next action is to
> subscribe the exis
What bureaucratic obstacles?
Simon Phipps wrote on Thu, Jul 28, 2011 at 15:01:38 -0700:
> Another even simpler alternative would be to host the community
> security list elsewhere where these bureaucratic obstacles do not
> exist. I'd be happy to arrange that and ensure all of the relevant
> parti
On Thu, Jul 28, 2011 at 5:41 PM, Florian Effenberger
wrote:
> Hello,
>
> Dennis E. Hamilton wrote on 2011-07-28 22:04:
>>
>> I support Malte's recommendation to add two individuals that are currently
>> in-common with respect to OpenOffice.org (traditional) and LibreOffice.
>
> I must confess I fi
Another even simpler alternative would be to host the community security list
elsewhere where these bureaucratic obstacles do not exist. I'd be happy to
arrange that and ensure all of the relevant parties are freely able to
participate. If necessary the mailing list here at Apache could then be
Another really simple solution:
One or two LO developers, say Caolan and one other, each return the
iCLA and state that they would like to help us with security
vulnerabilities response. Given that expressed commitment to the
project, I would not hesitate to then nominate them and vote for them
a
On Thu, Jul 28, 2011 at 4:04 PM, Dennis E. Hamilton wrote:
> I support Malte's recommendation to add two individuals that are currently
> in-common with respect to OpenOffice.org (traditional) and LibreOffice.
>
If by "in common" you mean common to LibreOffice and the Apache
OpenOffice PPMC, the
Hello,
Dennis E. Hamilton wrote on 2011-07-28 22:04:
I support Malte's recommendation to add two individuals that are currently
in-common with respect to OpenOffice.org (traditional) and LibreOffice.
I must confess I find it really strange that policies seem to be changed
here.
We had a go
Dennis E. Hamilton wrote:
> I am going to operate from the assumption that it is not
> appropriate to cherry-pick the OOo Apache Extra into the Apache
> SVN in any manner, although that code base can certainly be used
> consistent with the license already applied to it.
>
> Does anyone recognize a
On Jul 28, 2011 12:44 PM, "Rob Weir" wrote:
>
> On Thu, Jul 28, 2011 at 3:18 PM, Dennis E. Hamilton
> wrote:
> > Greg,
> >
> > Simple version of the question: Is your putting notices on everything
your personal practice or is it a requirement that this be done with all
textual artifacts where not
I support Malte's recommendation to add two individuals that are currently
in-common with respect to OpenOffice.org (traditional) and LibreOffice.
- Dennis
MORE THOUGHTS
Of the three of us moderating the ooo-security list, I believe only one of us
has experience in these matters, and that is
On Thu, Jul 28, 2011 at 3:01 PM, florent andré
wrote:
>
>
> On 07/28/2011 08:50 PM, Jens-Heiner Rechtien wrote:
>>
>> On 07/28/2011 08:37 PM, florent andré wrote:
>>>
>>>
>>> On 07/28/2011 08:00 PM, Rob Weir wrote:
On Thu, Jul 28, 2011 at 12:41 AM, Greg Stein wrote:
>
> On Wed, J
On Thu, Jul 28, 2011 at 3:18 PM, Dennis E. Hamilton
wrote:
> Greg,
>
> Simple version of the question: Is your putting notices on everything your
> personal practice or is it a requirement that this be done with all textual
> artifacts where notices are possible?
>
> - Dennis
>
> LONGER VERSION
Greg,
Simple version of the question: Is your putting notices on everything your
personal practice or is it a requirement that this be done with all textual
artifacts where notices are possible?
- Dennis
LONGER VERSION
I looked over the ooo/trunk/tools/dev/ repository and noticed that you pu
--- On Thu, 7/28/11, Jens-Heiner Rechtien wrote:
> On 07/28/2011 04:32 PM, Pedro F. Giffuni wrote:
> >
> > --- On Thu, 7/28/11, Christian Lohmaier wrote:
> > ...
> >>
> >> [1] Note that with the map, it would also be
> >> possible to reuse the old OOo-Subversion repo
> >> for the linear commits,
On 07/28/2011 08:50 PM, Jens-Heiner Rechtien wrote:
On 07/28/2011 08:37 PM, florent andré wrote:
On 07/28/2011 08:00 PM, Rob Weir wrote:
On Thu, Jul 28, 2011 at 12:41 AM, Greg Stein wrote:
On Wed, Jul 27, 2011 at 21:23, Dennis E. Hamilton
wrote:
...
It says we have a "storage quota" of
On 07/28/2011 08:37 PM, florent andré wrote:
On 07/28/2011 08:00 PM, Rob Weir wrote:
On Thu, Jul 28, 2011 at 12:41 AM, Greg Stein wrote:
On Wed, Jul 27, 2011 at 21:23, Dennis E. Hamilton
wrote:
...
It says we have a "storage quota" of 4096 MB. I'm uncertain whether
that is for releases, o
Thanks Christian for investigating this !
As I have to go out for 5 days and my machine already run another
conversion test, I will not be able to try is sooner... and may a
solution was found until then ! :)
++
On 07/28/2011 07:11 AM, Christian Lohmaier wrote:
Hi *,
On Wed, Jul 27, 201
On 07/28/2011 04:32 PM, Pedro F. Giffuni wrote:
--- On Thu, 7/28/11, Christian Lohmaier wrote:
...
[1] Note that with the map, it would also be possible to
reuse the old OOo-Subversion repo for the linear commits,
after all the hg repo was a conversion from the svn server.
This would save quit
On 07/28/2011 08:00 PM, Rob Weir wrote:
On Thu, Jul 28, 2011 at 12:41 AM, Greg Stein wrote:
On Wed, Jul 27, 2011 at 21:23, Dennis E. Hamilton
wrote:
...
It says we have a "storage quota" of 4096 MB. I'm uncertain whether
that is for releases, or includes repository storage as well.
Ha
About hg --> git then git --> svn
== hg --> git ==
Finish !
It take approx 40h to complete (someone to math over-the-thumb ? :))
Result it that it's "seems" to import merge... I have not time for more
investigation, I copy/paste bellow outputs that give me this feeling [1].
diff -r between
I am assuming that the Mercurial repository(ies) [my mind can't grasp all of
those Child Work Spaces) will be as-is and therefore covered by whatever
licenses and notices that are already affixed. [I am assuming this is
analogous with LibreOffice acquiring the LGPL-licensed OO.o code base for i
Ahem.
-Original Message-
From: Greg Stein [mailto:gst...@gmail.com]
Sent: Thursday, July 28, 2011 04:56
To: ooo-dev@incubator.apache.org
Subject: Re: OOO340 to svn
[ ... ]
I have created "ooo" on apache-extras, but would like to give a full 72 hour
discussion to see what support looks l
On Thu, Jul 28, 2011 at 12:41 AM, Greg Stein wrote:
> On Wed, Jul 27, 2011 at 21:23, Dennis E. Hamilton
> wrote:
>> TBD = To Be Determined/Defined
>>
>> There was extensive discussion with Greg Stein and Marcus (and others) in
>> previous weeks on this list. Greg's last post was July 9, as prev
--- On Thu, 7/28/11, Christian Lohmaier wrote:
...
>
> [1] Note that with the map, it would also be possible to
> reuse the old OOo-Subversion repo for the linear commits,
> after all the hg repo was a conversion from the svn server.
> This would save quite a bit of time.
>
I like this idea ...
1) import just the OOO340 tip into svn
2) move all the Hg repositories over to apache-extras.org. That
supports Hg and it supports "any OSI license". We can indefinitely
retain history there without it being "part of" our ASF project.
To get things going fast this might be the best way.
But sho
On Jul 28, 2011 3:38 AM, "Eike Rathke" wrote:
>
> Hi Greg,
>
> On Thursday, 2011-07-28 00:41:40 -0400, Greg Stein wrote:
>
> > 1) import just the OOO340 tip into svn
> > 2) move all the Hg repositories over to apache-extras.org. That
> > supports Hg and it supports "any OSI license". We can indefi
On Thu, Jul 28, 2011 at 6:06 AM, Malte Timmermann
wrote:
> After initiating the OOo security team 5 years ago, and doing most of the
> coordination stuff for OOo security fixes, please let me allow to state my
> pov wrt ooo-security :)
>
> ooo-security is _not_ a mailing list where all people inte
On Thu, Jul 28, 2011 at 3:18 AM, Florian Effenberger
wrote:
> Hello,
>
> Rob Weir wrote on 2011-07-28 04:08:
>>
>> -1. This is the project's private security list, with only a subset
>> of the PPMC on it. We should not have 3rd parties signed up on it.
>
> that would mark a negative change in th
Am 07/28/2011 06:41 AM, schrieb Greg Stein:
On Wed, Jul 27, 2011 at 21:23, Dennis E. Hamilton
wrote:
2) move all the Hg repositories over to apache-extras.org. That
supports Hg and it supports "any OSI license". We can indefinitely
retain history there without it being "part of" our ASF project
On 07/28/2011 12:41 AM, Greg Stein wrote:
In the meantime, and I can dig in more this weekend once I get home,
I'll suggest one possible road for us:
1) import just the OOO340 tip into svn
2) move all the Hg repositories over to apache-extras.org. That
supports Hg and it supports "any OSI lice
Hi Greg,
On Thursday, 2011-07-28 00:41:40 -0400, Greg Stein wrote:
> 1) import just the OOO340 tip into svn
> 2) move all the Hg repositories over to apache-extras.org. That
> supports Hg and it supports "any OSI license". We can indefinitely
> retain history there without it being "part of" our
After initiating the OOo security team 5 years ago, and doing most of
the coordination stuff for OOo security fixes, please let me allow to
state my pov wrt ooo-security :)
ooo-security is _not_ a mailing list where all people interested in
security related stuff can discuss fancy things.
oo
Hi,
On Jul 28, 2011, at 9:18 AM, Florian Effenberger wrote:
> I second André and Drew in their opinion that this is actually one of the
> areas, where cooperation is very easily possible, so IMHO, we shouldn't waste
> that chance.
yes, definitely we should cooperate as we did in the past.
--
Hello,
Rob Weir wrote on 2011-07-28 04:08:
-1. This is the project's private security list, with only a subset
of the PPMC on it. We should not have 3rd parties signed up on it.
that would mark a negative change in the way things are handled. Since
the beginning of LibO, we have also been c
51 matches
Mail list logo