Hi Rob,
On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote:
Reading binary file formats, including the legacy MS Office
formats, is notoriously difficult to do robustly.
Agreed.
2) That security reports should be sent to successor project's
security contacts.
..
3) We should list
On Mon, Oct 10, 2011 at 6:10 AM, Michael Meeks michael.me...@suse.com wrote:
Hi Rob,
On Sun, 2011-10-09 at 15:26 -0400, Rob Weir wrote:
Reading binary file formats, including the legacy MS Office
formats, is notoriously difficult to do robustly.
Agreed.
2) That security reports
On Mon, 10 Oct 2011 07:45:34 -0400
Rob Weir robw...@apache.org wrote:
Security reports come from security
reporters. Can you tell us whether Red Hat, Inc. security
researcher Huzaifa Sidhpurwala is a TDF member and whether he
was reporting this issue under instructions from TDF?
Does it
On Mon, Oct 10, 2011 at 8:06 AM, Rory O'Farrell ofarr...@iol.ie wrote:
On Mon, 10 Oct 2011 07:45:34 -0400
Rob Weir robw...@apache.org wrote:
Security reports come from security
reporters. Can you tell us whether Red Hat, Inc. security
researcher Huzaifa Sidhpurwala is a TDF member and
On 10 Oct 2011, at 12:45, Rob Weir wrote:
No objections if you want to start a separate invitation-only security
discussion list. It would probably get some use. But we'll continue
to ask for security reports to come to ooo-security.i.a.o.
We appeared to reach consensus[1] on this issue
On Mon, Oct 10, 2011 at 8:24 AM, Simon Phipps si...@webmink.com wrote:
On 10 Oct 2011, at 12:45, Rob Weir wrote:
No objections if you want to start a separate invitation-only security
discussion list. It would probably get some use. But we'll continue
to ask for security reports to come to
On Mon, Oct 10, 2011 at 1:42 PM, Rob Weir robw...@apache.org wrote:
Yes. I've read all the emails from last week.
Please can you answer my question, then, I am not interested in your
argument with Meeks.
S.
On Mon, Oct 10, 2011 at 9:08 AM, Simon Phipps si...@webmink.com wrote:
On Mon, Oct 10, 2011 at 1:42 PM, Rob Weir robw...@apache.org wrote:
Yes. I've read all the emails from last week.
Please can you answer my question, then, I am not interested in your
argument with Meeks.
I've
On Mon, Oct 10, 2011 at 2:15 PM, Rob Weir robw...@apache.org wrote:
I've restated, in more explicit form, what I think the consensus is.
It's hard to read your words that way, as they leave no room for anyone but
Apache committers. The clear consensus was for collaboration with the
StarOffice
On Mon, Oct 10, 2011 at 9:24 AM, Simon Phipps si...@webmink.com wrote:
On Mon, Oct 10, 2011 at 2:15 PM, Rob Weir robw...@apache.org wrote:
I've restated, in more explicit form, what I think the consensus is.
It's hard to read your words that way, as they leave no room for anyone but
Apache
On Mon, Oct 10, 2011 at 3:51 PM, Simon Phipps si...@webmink.com wrote:
On 10 Oct 2011, at 14:31, Rob Weir wrote:
This are not mutually exclusive options, Simon.
And I have very clearly never argued for an exclusive arrangement, Rob.
It's you that has, even if now you are attempting to
to be achieved?
- Dennis
-Original Message-
From: Michael Meeks [mailto:michael.me...@suse.com]
Sent: Monday, October 10, 2011 03:11
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
[ ... ]
I would instead seriously suggest that the Apache OOo decision
On 10 Oct 2011, at 15:55, Jürgen Schmidt wrote:
On Mon, Oct 10, 2011 at 3:51 PM, Simon Phipps si...@webmink.com wrote:
Back to the actual issue:
* for (A), AOOo clearly needs a private security list. We all agree.
* for (B), the legacy StarOffice ecosystem clearly needs a shared private
: Monday, October 10, 2011 07:55
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
On Mon, Oct 10, 2011 at 3:51 PM, Simon Phipps si...@webmink.com wrote:
[ ... ]
Back to the actual issue:
* for (A), AOOo clearly needs a private security list. We all agree.
* for (B
On 10 Oct 2011, at 16:03, Dennis E. Hamilton wrote:
Now, how is détente to be achieved?
I suggest by mutually agreeing a list-user-managed venue for future
non-partisan collaboration in the spirit that previously existed on
securityt...@openoffice.org - please see the other message I just
Hi Dennis,
On Mon, 2011-10-10 at 08:03 -0700, Dennis E. Hamilton wrote:
How is it that this reciprocal action occurred and was made known to
the Apache OOo podling ?
Oh - it's quite simple, you ASF/OOo made your decision to not include
TDF guys, and we (without an endless mail thread)
Subject: RE: Vulnerability fixed in LibreOffice
Hi Dennis,
On Mon, 2011-10-10 at 08:03 -0700, Dennis E. Hamilton wrote:
How is it that this reciprocal action occurred and was made known to
the Apache OOo podling ?
Oh - it's quite simple, you ASF/OOo made your decision to not include
TDF guys
On Mon, Oct 10, 2011 at 11:37 AM, Michael Meeks michael.me...@suse.com wrote:
Hi Dennis,
On Mon, 2011-10-10 at 08:03 -0700, Dennis E. Hamilton wrote:
How is it that this reciprocal action occurred and was made known to
the Apache OOo podling ?
Oh - it's quite simple, you ASF/OOo made
What's this thread about - OOo/AOOo/TDF private security lists war
reloaded? ;)
To sum up:
- Apache mentors/PPMCs made clear that only AOOo committers can be on
the AOOo Security list (ooo-secur...@incubator.apache.org).
Regardless of whether or not this rule makes sense in this special case
Hi, Malte,
On 10/10/2011 12:33, Malte Timmermann wrote:
What's this thread about - OOo/AOOo/TDF private security lists war
reloaded? ;)
To sum up:
- Apache mentors/PPMCs made clear that only AOOo committers can be on
the AOOo Security list (ooo-secur...@incubator.apache.org).
Regardless of
Hi TJ,
On 10.10.2011 18:51, TJ Frazier wrote:
Assuming that you are the mt listed as an administrator on the OO.o
security project, that should make you an owner of the securityteam ML.
In theory - but unfortunatly the list is not but of the security
project, but of the WWW project (because
Hi Rob,
On Mon, 2011-10-10 at 12:19 -0400, Rob Weir wrote:
It does not seem reasonable to publicly excoriate AOOo for having a
private security list restricted to members while you are
simultaneously and without notice proceed to enforce the same policy
for the TDF security list.
It
On Mon, 2011-10-10 at 18:33 +0200, Malte Timmermann wrote:
old/original OOo security list securityt...@openoffice.org.
Which of course is highly sub-optimal, since it is an openoffice.org
branded list, soon to be Apache owned - which is not neutral. Apparently
we can't administer it
On Mon, Oct 10, 2011 at 4:41 PM, Michael Meeks michael.me...@suse.com wrote:
snip
All I'm doing is suggesting that we treat AOOo security like we do
for every other Apache project.
Sounds great - lets have open-ness to other projects, and
cross-fertilisation of list composition
-Original Message-
From: Michael Meeks [mailto:michael.me...@suse.com]
Sent: Monday, October 10, 2011 13:41
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
[ ... ]
Potentially you confuse the issue that was found with the rather
broader scope of the fix
+1
-Original Message-
From: Michael Meeks [mailto:michael.me...@suse.com]
Sent: Monday, October 10, 2011 13:54
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
On Mon, 2011-10-10 at 18:33 +0200, Malte Timmermann wrote:
old/original OOo security list
On 10 October 2011 21:41, Michael Meeks michael.me...@suse.com wrote:
...
It seems that are you asserting that the advice from the established
Apache security mechanism was to be as insular as possible though; is
that really the case ? are all other Apache projects security lists
: Rob Weir [mailto:robw...@apache.org]
Sent: Monday, October 10, 2011 15:58
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
[ ... ]
I think it would be good if the PPMC wanted to express to the
ooo-security members that they want us to make security collaboration
(cutting and snipping liberally to get to the worthwhile stuff)
On 10/10/2011 7:34 PM, Ross Gardler wrote:
On 10 October 2011 21:41, Michael Meeksmichael.me...@suse.com wrote:
...snip...
b) Because other communities exist based on a common code base it
makes sense to attempt to build an
On Wed, Oct 5, 2011 at 1:14 PM, FR web forum ooofo...@free.fr wrote:
Good morning,
TDF has published a fix for LibO: http://wp.me/p1byPE-bQ
Do you know if OOo is impacted too?
Thank you
Possibly, but without details it is hard to tell. But please note
that although the LO press release
Anyone can post to anyone's security list. But they are private lists. It
is the part where discretion must occur in handling vulnerabilities until
the fix is in and a CVE is posted that happens privately and that might work
better with some shared membership on the security lists. On
Hi,
Jürgen Schmidt wrote on 2011-10-06 13:18:
If a TDF or ASF list is secondary for me but i would volunteer to join this
mailing list to help on this topic in the future. But maybe we should try to
keep the existing and knownsecurityt...@openoffice.org mailing list and I
see no reason why it
On 6 Oct 2011, at 12:48, Florian Effenberger wrote:
Jürgen Schmidt wrote on 2011-10-06 13:18:
If a TDF or ASF list is secondary for me but i would volunteer to join this
mailing list to help on this topic in the future. But maybe we should try to
keep the existing and
Hi,
Dirk-Willem van Gulik wrote on 2011-10-06 14:14:
Furthermore - there is nothing stopping you from having a knownsecurity@ group
more focused on security - and having this as your first (more public) port of
call.
for years, there has been security@ooo. That group knows each other very
On 6 Oct 2011, at 13:22, Florian Effenberger wrote:
Dirk-Willem van Gulik wrote on 2011-10-06 14:14:
Furthermore - there is nothing stopping you from having a knownsecurity@
group more focused on security - and having this as your first (more public)
port of call.
for years, there has
On Thu, Oct 6, 2011 at 2:00 PM, Dirk-Willem van Gulik
di...@webweaving.orgwrote:
Reading the exchanges - I think language was getting in the way of things.
I really don't think so. I think two issues have been conflated:
A: How AOOo manages its own security process.
B: How AOOo collaborates
On Oct 6, 2011, at 9:27 AM, Simon Phipps wrote:
On Thu, Oct 6, 2011 at 2:00 PM, Dirk-Willem van Gulik
di...@webweaving.orgwrote:
Reading the exchanges - I think language was getting in the way of things.
I really don't think so. I think two issues have been conflated:
A: How AOOo
Hi,
Jürgen Schmidt wrote on 2011-10-06 14:40:
My idea is to simply use the existing
securityt...@openoffice.org knownsecurityt...@openoffice.org list for
collaborative work on this topic. LibreOffice has also a separate security
list, right. So i don't see your point here.
I proposed that,
Hi,
Dirk-Willem van Gulik wrote on 2011-10-06 15:00:
Reading the exchanges - I think language was getting in the way of things.
no. It was very clearly stated the existing security group would not be
used anymore, since less contacts were preferred. It was rather clear,
and once again
Wow, has this thread not gone anywhere, nor been as polite as I'd hope.
Fundamentally, the ASF has delegated responsibility for all future
Apache OpenOffice releases to the Apache OpenOffice PPMC. I believe and
support them having a private security@ list that only PPMC members are
Jim Jagielski wrote:
I agree it needs to be addressed. What is ironic is that this
discussion did NOT result in a breakdown of B at all, but
rather a breakdown in another entity also not having a policy
in place in sharing info with other community members.
Hi Jim,
since this is ambiguous
On Thu, Oct 6, 2011 at 5:07 PM, Shane Curcuru a...@shanecurcuru.org wrote:
Wow, has this thread not gone anywhere, nor been as polite as I'd hope.
Fundamentally, the ASF has delegated responsibility for all future Apache
OpenOffice releases to the Apache OpenOffice PPMC. I believe and
Hi -
I blame Oracle, it is nearly 4 months and NO domain transfer.
On Oct 6, 2011, at 8:05 AM, Thorsten Behrens wrote:
Jim Jagielski wrote:
I agree it needs to be addressed. What is ironic is that this
discussion did NOT result in a breakdown of B at all, but
rather a breakdown in another
On 6 Oct 2011, at 16:07, Shane Curcuru wrote:
I think we've completely lost sight of B, a place where Apache OpenOffice
PPMC members and trusted others of related projects can work together. Given
the interrelationships of code between OpenOffice and LibreOffice and others,
I would
--- On Thu, 10/6/11, Dave Fisher wrote:
Hi -
I blame Oracle, it is nearly 4 months and NO domain
transfer.
According to an email in this list by Andrew Rist
on Fri, 9/9/11:
openoffice.org domains transferred to ASF
Cheers,
Pedro.
Hi,
Dave Fisher wrote on 2011-10-06 17:25:
When that discussion was settled it seems someone on the TDF side should have
taken some initiative to inform AOOo at our list. To not have that happen was
not in any spirit of cooperation.
as Thorsten said, AOOo was informed. There was one AOOo
On Thu, Oct 6, 2011 at 5:25 PM, Dave Fisher dave2w...@comcast.net wrote:
Hi -
I blame Oracle, it is nearly 4 months and NO domain transfer.
it doesn't help anybody ;-)
On Oct 6, 2011, at 8:05 AM, Thorsten Behrens wrote:
Jim Jagielski wrote:
I agree it needs to be addressed. What is
On Thu, 06 Oct 2011 17:43:57 +0200
Florian Effenberger flo...@documentfoundation.org wrote:
No, I was personally told that I should not be involved on that
list, because of ICLA-PPMC-whatever-abbreviation things and
that at Apache things are different. So, don't blame me. My
proposal was to
Dave Fisher wrote:
I may remind you that, at the point
of responsible disclosure to securityteam@ooo, the
ooo-security@apache list was still in the process of being
setup/populated, and there was an ongoing policy discussion here.
When that discussion was settled it seems someone on the
On 6 October 2011 16:53, Rory O'Farrell ofarr...@iol.ie wrote:
Responsible Apache people need to rethink
their insistence on their method to the exclusion of all other
methods.
Please read the comments in this thread by an OOo mentor, Shane Curcuru.
Please also see the advice and guidance of
On Thu, 6 Oct 2011 17:06:36 +0100
Ross Gardler rgard...@opendirective.com wrote:
On 6 October 2011 16:53, Rory O'Farrell ofarr...@iol.ie wrote:
Responsible Apache people need to rethink
their insistence on their method to the exclusion of all other
methods.
Please read the comments in
On 6 October 2011 17:16, Rory O'Farrell ofarr...@iol.ie wrote:
On Thu, 6 Oct 2011 17:06:36 +0100
Ross Gardler rgard...@opendirective.com wrote:
On 6 October 2011 16:53, Rory O'Farrell ofarr...@iol.ie wrote:
Responsible Apache people need to rethink
their insistence on their method to the
Hi,
Ross Gardler wrote on 2011-10-06 18:26:
I understand where you are coming from. There is a misunderstanding
about The Apache Way. There are very few things that are fixed in
stone. However, newcomers often rely on written descriptions of common
practice and assume that such a description is
On Oct 6, 2011, at 9:26 AM, Ross Gardler wrote:
On 6 October 2011 17:16, Rory O'Farrell ofarr...@iol.ie wrote:
On Thu, 6 Oct 2011 17:06:36 +0100
Ross Gardler rgard...@opendirective.com wrote:
On 6 October 2011 16:53, Rory O'Farrell ofarr...@iol.ie wrote:
Responsible Apache people need
-
From: Rory O'Farrell [mailto:ofarr...@iol.ie]
Sent: Thursday, October 06, 2011 09:16
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
[ ... ]
With respect, it is not the tone of my_ emails that need
amelioration, but the blanket insistence from some posters
Hi
Am 05.10.11 19:14, schrieb FR web forum:
Good morning,
TDF has published a fix for LibO: http://wp.me/p1byPE-bQ
Do you know if OOo is impacted too?
As discribed on my homepage
(http://www.raphaelbircher.ch/computer_tagebuch.php), I will try to make
a patch for the OOo 3.3 for Mac OS X.
on users of the software, more
can be provided.
- Dennis
-Original Message-
From: FR web forum [mailto:ooofo...@free.fr]
Sent: Thursday, October 06, 2011 01:27
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
Anyone can post to anyone's security list
I've investigated and I am informed by one of the LO developers:
The initial report was sent to securityt...@openoffice.org on
25-07-2011, the assigned CVE id was cc'ed there somewhat later on. I
posted the 5 patches which in combination would fix it to the list as
well. I was informed an
time that either of our projects learn about
something like this in a press release.
- Dennis
-Original Message-
From: Simon Phipps [mailto:si...@webmink.com]
Sent: Wednesday, October 05, 2011 12:49
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed
On Oct 5, 2011, at 3:03 PM, Simon Phipps wrote:
On Oct 5, 2011 9:22 PM, Dennis E. Hamilton orc...@apache.org wrote:
That information concerning an ApacheOOo representative on
securityt...@openoffice.org is apparently inaccurate.
I am told that Rob is on that list. Rob, is that correct?
On Wed, Oct 5, 2011 at 11:11 PM, Dave Fisher dave2w...@comcast.net wrote:
To be fair there have been email outages at least twice with
openoffice.org - perhaps the messages were lost during that time.
Entirely plausible, I agree.
So given securityt...@openoffice.org appears to be abandoned,
-
From: Simon Phipps [mailto:si...@webmink.com]
Sent: Wednesday, October 05, 2011 16:01
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice
On Wed, Oct 5, 2011 at 11:11 PM, Dave Fisher dave2w...@comcast.net wrote:
To be fair there have been email outages at least
On 6 Oct 2011, at 00:25, Dennis E. Hamilton wrote:
Whatever the arrangement is to become, it should not have a single point of
failure in achieving coordination on common-mode/mono-culture vulnerabilities.
Agreed. Let's design something without one.
Anyone can post to anyone's security
63 matches
Mail list logo