Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

I see that many other projects have an official announce list.  This
would be used for official public communications:

1) New releases

2) New services

3) New blog posts

4) Security patches

5) Expected downtime

6) Migration updates

The idea would be for it to be low-volume but with high membership.
If possible via ezmlm, it would be a read-only list except for
moderators.  Content for posting would first be discussed and approved
on ooo-dev before going out on the announce list.

Some might say that we could just do this via existing ooo-dev or
ooo-user lists, but the higher traffic on those lists is too much for
someone who wants only the most important notices.

If we do have an optional registration screen in the 3.4 install,
maybe this is the list we offer to sign users up for.

If there are no objections to this list, I'll need a few things:

1) Verification that such a read-only list is possible

2) A few moderator volunteers -- noting that the moderator role in
this case is more of an assist to help publish PPMC-approved content
to the list.

-Rob

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sat, Dec 17, 2011 at 2:25 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> +1 as well.  I'm still declining any further moderator gigs at this time.
>

I put in the Infra request 5 days ago.  We can stop voting now.

-Rob

>  - Dennis
>
> -----Original Message-----
> From: Kay Schenk [mailto:kay.schenk@gmail.com]
> Sent: Saturday, December 17, 2011 09:13
> To: ooo-dev@incubator.apache.org
> Subject: Re: Proposal: ooo-announce list
>
> On Sun, Dec 11, 2011 at 10:20 AM, Rob Weir <ro...@apache.org> wrote:
>
>> I see that many other projects have an official announce list.  This
>> would be used for official public communications:
>>
>> 1) New releases
>>
>> 2) New services
>>
>> 3) New blog posts
>>
>> 4) Security patches
>>
>> 5) Expected downtime
>>
>> 6) Migration updates
>>
>> The idea would be for it to be low-volume but with high membership.
>> If possible via ezmlm, it would be a read-only list except for
>> moderators.  Content for posting would first be discussed and approved
>> on ooo-dev before going out on the announce list.
>>
>> Some might say that we could just do this via existing ooo-dev or
>> ooo-user lists, but the higher traffic on those lists is too much for
>> someone who wants only the most important notices.
>>
>
> +1 to all ideas...a very good idea in fact! :)
>
>
>>
>> If we do have an optional registration screen in the 3.4 install,
>> maybe this is the list we offer to sign users up for.
>>
>> If there are no objections to this list, I'll need a few things:
>>
>> 1) Verification that such a read-only list is possible
>>
>> 2) A few moderator volunteers -- noting that the moderator role in
>> this case is more of an assist to help publish PPMC-approved content
>> to the list.
>>
>> -Rob
>>
>
>
>
> --
> ----------------------------------------------------------------------------------------
> MzK
>
> "The greatness of a nation and its moral progress can be judged
>  by the way its animals are treated."
>                              -- Mohandas Gandhi
>

RE: Proposal: ooo-announce list

["Dennis E. Hamilton" <or...@apache.org>]

+1 as well.  I'm still declining any further moderator gigs at this time.

 - Dennis

-----Original Message-----
From: Kay Schenk [mailto:kay.schenk@gmail.com] 
Sent: Saturday, December 17, 2011 09:13
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

On Sun, Dec 11, 2011 at 10:20 AM, Rob Weir <ro...@apache.org> wrote:

> I see that many other projects have an official announce list.  This
> would be used for official public communications:
>
> 1) New releases
>
> 2) New services
>
> 3) New blog posts
>
> 4) Security patches
>
> 5) Expected downtime
>
> 6) Migration updates
>
> The idea would be for it to be low-volume but with high membership.
> If possible via ezmlm, it would be a read-only list except for
> moderators.  Content for posting would first be discussed and approved
> on ooo-dev before going out on the announce list.
>
> Some might say that we could just do this via existing ooo-dev or
> ooo-user lists, but the higher traffic on those lists is too much for
> someone who wants only the most important notices.
>

+1 to all ideas...a very good idea in fact! :)


>
> If we do have an optional registration screen in the 3.4 install,
> maybe this is the list we offer to sign users up for.
>
> If there are no objections to this list, I'll need a few things:
>
> 1) Verification that such a read-only list is possible
>
> 2) A few moderator volunteers -- noting that the moderator role in
> this case is more of an assist to help publish PPMC-approved content
> to the list.
>
> -Rob
>



-- 
----------------------------------------------------------------------------------------
MzK

"The greatness of a nation and its moral progress can be judged
 by the way its animals are treated."
                              -- Mohandas Gandhi

Re: Proposal: ooo-announce list

[Kay Schenk <ka...@gmail.com>]

On Sun, Dec 11, 2011 at 10:20 AM, Rob Weir <ro...@apache.org> wrote:

> I see that many other projects have an official announce list.  This
> would be used for official public communications:
>
> 1) New releases
>
> 2) New services
>
> 3) New blog posts
>
> 4) Security patches
>
> 5) Expected downtime
>
> 6) Migration updates
>
> The idea would be for it to be low-volume but with high membership.
> If possible via ezmlm, it would be a read-only list except for
> moderators.  Content for posting would first be discussed and approved
> on ooo-dev before going out on the announce list.
>
> Some might say that we could just do this via existing ooo-dev or
> ooo-user lists, but the higher traffic on those lists is too much for
> someone who wants only the most important notices.
>

+1 to all ideas...a very good idea in fact! :)


>
> If we do have an optional registration screen in the 3.4 install,
> maybe this is the list we offer to sign users up for.
>
> If there are no objections to this list, I'll need a few things:
>
> 1) Verification that such a read-only list is possible
>
> 2) A few moderator volunteers -- noting that the moderator role in
> this case is more of an assist to help publish PPMC-approved content
> to the list.
>
> -Rob
>



-- 
----------------------------------------------------------------------------------------
MzK

"The greatness of a nation and its moral progress can be judged
 by the way its animals are treated."
                              -- Mohandas Gandhi

Re: Proposal: ooo-announce list

[Donald Harbison <dp...@gmail.com>]

+1.

...good idea(s). Let's get it created.

On Sun, Dec 11, 2011 at 1:20 PM, Rob Weir <ro...@apache.org> wrote:

> I see that many other projects have an official announce list.  This
> would be used for official public communications:
>
> 1) New releases
>
> 2) New services
>
> 3) New blog posts
>
> 4) Security patches
>
> 5) Expected downtime
>
> 6) Migration updates
>
> The idea would be for it to be low-volume but with high membership.
> If possible via ezmlm, it would be a read-only list except for
> moderators.  Content for posting would first be discussed and approved
> on ooo-dev before going out on the announce list.
>
> Some might say that we could just do this via existing ooo-dev or
> ooo-user lists, but the higher traffic on those lists is too much for
> someone who wants only the most important notices.
>
> If we do have an optional registration screen in the 3.4 install,
> maybe this is the list we offer to sign users up for.
>
> If there are no objections to this list, I'll need a few things:
>
> 1) Verification that such a read-only list is possible
>
> 2) A few moderator volunteers -- noting that the moderator role in
> this case is more of an assist to help publish PPMC-approved content
> to the list.
>
> -Rob
>

RE: Proposal: ooo-announce list

["Dennis E. Hamilton" <de...@acm.org>]

No, sorry.

I'm all moderatored up.

 - Dennis

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Monday, December 12, 2011 11:01
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

On Sun, Dec 11, 2011 at 7:00 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent of list subscription.
>

Can I put you down as a moderator?  We could use someone on the west coast.

-Rob

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 7:00 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent of list subscription.
>

Can I put you down as a moderator?  We could use someone on the west coast.

-Rob

RE: Proposal: ooo-announce list

["Dennis E. Hamilton" <de...@acm.org>]

Got it.

Thanks.

 - Dennis

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Sunday, December 11, 2011 17:02
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

On Sun, Dec 11, 2011 at 7:00 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent of list subscription.
>
> A detail:
>
> I don't believe there is any exception to the PPMC having the decisions and accountability about security fixes and announcements.
>

The PPMC delegates that authority to the security team.  See the
process here, especially step 14:

http://www.apache.org/security/committers.html

Note that the report to the announce list is just one of a list of 5
or so announcement emails that the security team would make, to Apache
and non-Apache lists.

-Rob

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 7:00 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent of list subscription.
>
> A detail:
>
> I don't believe there is any exception to the PPMC having the decisions and accountability about security fixes and announcements.
>

The PPMC delegates that authority to the security team.  See the
process here, especially step 14:

http://www.apache.org/security/committers.html

Note that the report to the announce list is just one of a list of 5
or so announcement emails that the security team would make, to Apache
and non-Apache lists.

-Rob

RE: Proposal: ooo-announce list

["Dennis E. Hamilton" <de...@acm.org>]

I think the ooo-announce list is a good idea.  The blog would be an alternative, since it is rather the official voice of the Apache OpenOffice podling.  The RSS feed can be the equivalent of list subscription.  

A detail:

I don't believe there is any exception to the PPMC having the decisions and accountability about security fixes and announcements.  

I recall Rob Weir arguing that very strongly on this list as part of objection to creation of ooo-security in the first place, something that was finally done because security@ made it clear there was no way security reports would be forwarded to the podling until there was such an ooo-security list and team behind it.

The security team should be invisible but for the sensitive work with reporters and analysis of reported vulnerabilities and exploits.  Ultimately, the PPMC has to determine the way forward, if ooo-security confirms vulnerabilities and exploits.  Public reports should come from the project and be reviewed and authorized by the PPMC.

 - Dennis

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Sunday, December 11, 2011 11:08
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

[ ... ]

Note:  this would be the exception to the rule that announcements are
pre-discussed by the PPMC.  I'd expect that such announcements would
come directly from the security team.  So we would need to have one of
the moderators for the announce list be from that team.

[ ... ]

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Mon, Dec 12, 2011 at 10:14 AM, Andrea Pescetti
<pe...@openoffice.org> wrote:
> On 11/12/2011 Rob Weir wrote:
>>
>> Tthe practice is to check in such fixes without making it evident to
>> the observer that it is security-related.  So don't expect SVN
>> comments to give it away.
>
>
> Like this?
> http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06
>

We'll probably see things like this as well, but not until after the
security report is made.  Remember, with SVN a commit comment is just
a property (svn:log), and that can be changed.  So the process would
be to commit the fix without drawing attention to it, and then after
the public report is made, to go back and update the SVN log to
include the CVE for that revision.

See step 15 here:

http://www.apache.org/security/committers.html

-Rob

> I know the example is from LibreOffice (even though the bug might be shared
> with OpenOffice.org or Apache OpenOffice) but I just happened to spot it and
> it doesn't seem particularly hidden... Such a policy would have to apply to
> all related projects (again, I totally don't know if this bug is related to
> Apache OpenOffice too, I'm just discussing the issue in general).
>
> Regards,
>  Andrea.

Re: Proposal: ooo-announce list

[Kazunari Hirano <kh...@gmail.com>]

Hi

On Fri, Dec 16, 2011 at 11:02 PM, Rob Weir <ro...@apache.org> wrote:
> https://issues.apache.org/jira/browse/INFRA-4207

Good.  Thanks.

> I think we only need one announcement list.  It can be used for all
> languages. We can even have multiple translations in the same
> announcement if we want,

I also think so.  I was saying that I have something I would like to
announce using ooo-announce@incubator.apache.org.
:)
Thanks,
khirano
-- 
khirano@apache.org
OpenOffice.org[TM](incubating)|The Free and Open Productivity Suite
Apache incubator
http://incubator.apache.org/openofficeorg/

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Fri, Dec 16, 2011 at 8:40 AM, Kazunari Hirano <kh...@gmail.com> wrote:
> Hi
>
> Will ooo-announce list be created?
>

I created a JIRA issue for this:

https://issues.apache.org/jira/browse/INFRA-4207

> I give +1 for that.
>
> I would like to propose an announcement about native language projects
> and localization.
> https://cwiki.apache.org/confluence/display/OOOUSERS/Native+Language+Projects
> :)
>

I think we only need one announcement list.  It can be used for all
languages. We can even have multiple translations in the same
announcement if we want,

-Rob

> Thanks,
> khirano
> --
> khirano@apache.org
> OpenOffice.org[TM](incubating)|The Free and Open Productivity Suite
> Apache incubator
> http://incubator.apache.org/openofficeorg/

Re: Proposal: ooo-announce list

[Kazunari Hirano <kh...@gmail.com>]

Hi

Will ooo-announce list be created?

I give +1 for that.

I would like to propose an announcement about native language projects
and localization.
https://cwiki.apache.org/confluence/display/OOOUSERS/Native+Language+Projects
:)

Thanks,
khirano
-- 
khirano@apache.org
OpenOffice.org[TM](incubating)|The Free and Open Productivity Suite
Apache incubator
http://incubator.apache.org/openofficeorg/

Re: Proposal: ooo-announce list

[Andrea Pescetti <pe...@openoffice.org>]

On 13/12/2011 Michael Meeks wrote:
> On Mon, 2011-12-12 at 16:14 +0100, Andrea Pescetti wrote:
>> http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06
>> ... it doesn't seem particularly hidden...
> Sure - that is because this CVE is already public, presumably because
> the bug it is related to is also public cf.
> https://bugzilla.redhat.com/show_bug.cgi?id=765812 and associated links.

In the CVE database it isn't public yet:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4599

But indeed both Caolán and Red Hat have enough experience and reputation 
in handling issues to make it unlikely that this is a dangerous or 
careless disclosure. I'm confident that, if the issue affects 
OpenOffice.org or Apache OpenOffice too, it has been notified to the 
appropriate lists.

Regards,
   Andrea.

Re: Proposal: ooo-announce list

[Michael Meeks <mi...@suse.com>]

On Mon, 2011-12-12 at 16:14 +0100, Andrea Pescetti wrote:
> On 11/12/2011 Rob Weir wrote:
> > The practice is to check in such fixes without making it evident to
> > the observer that it is security-related.

	This would be our normal practise too; though we can't edit git history
but we could presumably add a note later to tag a commit.

> Like this?
> http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06
> 
> I know the example is from LibreOffice (even though the bug might be 
> shared with OpenOffice.org or Apache OpenOffice) but I just happened to 
> spot it and it doesn't seem particularly hidden...

	Sure - that is because this CVE is already public, presumably because
the bug it is related to is also public cf.
https://bugzilla.redhat.com/show_bug.cgi?id=765812 and associated links.
Thus there is no particular benefit in hiding the fact; anyone skilled
in the art can grok our included projects and correlate them with an
existing list of CVEs.

	ATB,

		Michael.

-- 
michael.meeks@suse.com  <><, Pseudo Engineer, itinerant idiot

Re: Proposal: ooo-announce list

[Andrea Pescetti <pe...@openoffice.org>]

On 11/12/2011 Rob Weir wrote:
> Tthe practice is to check in such fixes without making it evident to
> the observer that it is security-related.  So don't expect SVN
> comments to give it away.

Like this?
http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06

I know the example is from LibreOffice (even though the bug might be 
shared with OpenOffice.org or Apache OpenOffice) but I just happened to 
spot it and it doesn't seem particularly hidden... Such a policy would 
have to apply to all related projects (again, I totally don't know if 
this bug is related to Apache OpenOffice too, I'm just discussing the 
issue in general).

Regards,
   Andrea.

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 2:43 PM, TJ Frazier <tj...@cfl.rr.com> wrote:
> On 12/11/2011 14:08, Rob Weir wrote:
>>
>> On Sun, Dec 11, 2011 at 1:53 PM, TJ Frazier<tj...@cfl.rr.com>  wrote:
>>>
>>> +1 in general; quibbles in-line.
>>>
>>>
>>> On 12/11/2011 13:20, Rob Weir wrote:
>>>>
>>>>
>>>> I see that many other projects have an official announce list.  This
>>>> would be used for official public communications:
>>>>
>>>> 1) New releases
>>>>
>>>> 2) New services
>>>>
>>>> 3) New blog posts
>>>
>>>
>>>
>>> Unnecessary. Interested parties will track these themselves.
>>>>
>>>>
>>>>
>>>> 4) Security patches
>>>
>>>
>>>
>>> Redundant. We should have a release ready with the fix, which will be
>>> announced. --/tj/
>>>
>>
>> Even with a release, we still should have a security announcement.
>>
>> See step 14 here:
>>
>> "The project team announces the release and the vulnerability.
>> Typically this will be sent to the reporter, the project's users list,
>> the project's dev list, the project's announce list,
>> security@apache.org, full-disclosure@lists.grok.org.uk and
>> bugtraq@securityfocus.com. The project's security pages should also be
>> updated. This is the first point that any information regarding the
>> vulnerability is made public."
>>
>> http://www.apache.org/security/committers.html
>>
>> So there is a summary of the vulnerability that gets posted to the
>> announce list, and several other lists, with a CVE number (Common
>> Vulnerabilities and Exposures).  This makes it easy to cross reference
>> exactly what security issues are patches in a given release.  Maybe
>> not so interesting for end users to have that detail broken out, but
>> it is important, for example, for those who repackage and redistribute
>> OpenOffice, e.g., Linux distros.
>>
>> We might also be coordinating with other products or components on the
>> announcement.  Say, hypothetically, that there is a horrible security
>> flaw in Hunspell.  We'd coordinate with Hunspell, and with LO and
>> Firefox on a patch.  We'd patch our tree and release a new AOO with
>> the fix.  But we would coordinate the timing of the security
>> announcement until LO and Firefox also had their releases ready.  You
>> don't want the first product that is released to "spill the beans" and
>> make the user's of the products that use the component vulnerable to a
>> now public issue.  So there might be an interval between the release
>> announcement and the security announcement.
>>
> Good point, but ... if the code is in the release, then the source is in
> SVN, which is as good as an announcement for some people. We may want to

Tthe practice is to check in such fixes without making it evident to
the observer that it is security-related.  So don't expect SVN
comments to give it away.  The security team would patch stealthily,
and only update the SVN comment after release and announcement.  There
are various ways of making such check-ins non-obvious, none of which I
will describe here.

Of course, someone could be really clever and figure it out by looking
at all check-ins.  But they could also be very clever and find it by
reading the code.  Obviously we're not fixing undetectable problems.
We're fixing the ones that have been detected.  If one person has
detected a problem then so can another, regardless of what we do.  But
we don't need to make it easy for them.

> coordinate releases, too; any delay should only be a matter of a few days. I
> am underwhelmed by the thought of reading, "Oh, BTW, that latest release
> fixes a horrid security bug, and you should install it ASAP ..."
>
> /tj/
>
>
>> Note:  this would be the exception to the rule that announcements are
>> pre-discussed by the PPMC.  I'd expect that such announcements would
>> come directly from the security team.  So we would need to have one of
>> the moderators for the announce list be from that team.
>>
>
> [snip]
>
>

Re: Proposal: ooo-announce list

[TJ Frazier <tj...@cfl.rr.com>]

On 12/11/2011 14:08, Rob Weir wrote:
> On Sun, Dec 11, 2011 at 1:53 PM, TJ Frazier<tj...@cfl.rr.com>  wrote:
>> +1 in general; quibbles in-line.
>>
>>
>> On 12/11/2011 13:20, Rob Weir wrote:
>>>
>>> I see that many other projects have an official announce list.  This
>>> would be used for official public communications:
>>>
>>> 1) New releases
>>>
>>> 2) New services
>>>
>>> 3) New blog posts
>>
>>
>> Unnecessary. Interested parties will track these themselves.
>>>
>>>
>>> 4) Security patches
>>
>>
>> Redundant. We should have a release ready with the fix, which will be
>> announced. --/tj/
>>
>
> Even with a release, we still should have a security announcement.
>
> See step 14 here:
>
> "The project team announces the release and the vulnerability.
> Typically this will be sent to the reporter, the project's users list,
> the project's dev list, the project's announce list,
> security@apache.org, full-disclosure@lists.grok.org.uk and
> bugtraq@securityfocus.com. The project's security pages should also be
> updated. This is the first point that any information regarding the
> vulnerability is made public."
>
> http://www.apache.org/security/committers.html
>
> So there is a summary of the vulnerability that gets posted to the
> announce list, and several other lists, with a CVE number (Common
> Vulnerabilities and Exposures).  This makes it easy to cross reference
> exactly what security issues are patches in a given release.  Maybe
> not so interesting for end users to have that detail broken out, but
> it is important, for example, for those who repackage and redistribute
> OpenOffice, e.g., Linux distros.
>
> We might also be coordinating with other products or components on the
> announcement.  Say, hypothetically, that there is a horrible security
> flaw in Hunspell.  We'd coordinate with Hunspell, and with LO and
> Firefox on a patch.  We'd patch our tree and release a new AOO with
> the fix.  But we would coordinate the timing of the security
> announcement until LO and Firefox also had their releases ready.  You
> don't want the first product that is released to "spill the beans" and
> make the user's of the products that use the component vulnerable to a
> now public issue.  So there might be an interval between the release
> announcement and the security announcement.
>
Good point, but ... if the code is in the release, then the source is in 
SVN, which is as good as an announcement for some people. We may want to 
coordinate releases, too; any delay should only be a matter of a few 
days. I am underwhelmed by the thought of reading, "Oh, BTW, that latest 
release fixes a horrid security bug, and you should install it ASAP ..."

/tj/

> Note:  this would be the exception to the rule that announcements are
> pre-discussed by the PPMC.  I'd expect that such announcements would
> come directly from the security team.  So we would need to have one of
> the moderators for the announce list be from that team.
>

[snip]

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 1:53 PM, TJ Frazier <tj...@cfl.rr.com> wrote:
> +1 in general; quibbles in-line.
>
>
> On 12/11/2011 13:20, Rob Weir wrote:
>>
>> I see that many other projects have an official announce list.  This
>> would be used for official public communications:
>>
>> 1) New releases
>>
>> 2) New services
>>
>> 3) New blog posts
>
>
> Unnecessary. Interested parties will track these themselves.
>>
>>
>> 4) Security patches
>
>
> Redundant. We should have a release ready with the fix, which will be
> announced. --/tj/
>

Even with a release, we still should have a security announcement.

See step 14 here:

"The project team announces the release and the vulnerability.
Typically this will be sent to the reporter, the project's users list,
the project's dev list, the project's announce list,
security@apache.org, full-disclosure@lists.grok.org.uk and
bugtraq@securityfocus.com. The project's security pages should also be
updated. This is the first point that any information regarding the
vulnerability is made public."

http://www.apache.org/security/committers.html

So there is a summary of the vulnerability that gets posted to the
announce list, and several other lists, with a CVE number (Common
Vulnerabilities and Exposures).  This makes it easy to cross reference
exactly what security issues are patches in a given release.  Maybe
not so interesting for end users to have that detail broken out, but
it is important, for example, for those who repackage and redistribute
OpenOffice, e.g., Linux distros.

We might also be coordinating with other products or components on the
announcement.  Say, hypothetically, that there is a horrible security
flaw in Hunspell.  We'd coordinate with Hunspell, and with LO and
Firefox on a patch.  We'd patch our tree and release a new AOO with
the fix.  But we would coordinate the timing of the security
announcement until LO and Firefox also had their releases ready.  You
don't want the first product that is released to "spill the beans" and
make the user's of the products that use the component vulnerable to a
now public issue.  So there might be an interval between the release
announcement and the security announcement.

Note:  this would be the exception to the rule that announcements are
pre-discussed by the PPMC.  I'd expect that such announcements would
come directly from the security team.  So we would need to have one of
the moderators for the announce list be from that team.

>>
>> 5) Expected downtime
>>
>> 6) Migration updates
>>
>> The idea would be for it to be low-volume but with high membership.
>> If possible via ezmlm, it would be a read-only list except for
>> moderators.  Content for posting would first be discussed and approved
>> on ooo-dev before going out on the announce list.
>>
>> Some might say that we could just do this via existing ooo-dev or
>> ooo-user lists, but the higher traffic on those lists is too much for
>> someone who wants only the most important notices.
>>
>> If we do have an optional registration screen in the 3.4 install,
>> maybe this is the list we offer to sign users up for.
>>
>> If there are no objections to this list, I'll need a few things:
>>
>> 1) Verification that such a read-only list is possible
>>
>> 2) A few moderator volunteers -- noting that the moderator role in
>> this case is more of an assist to help publish PPMC-approved content
>> to the list.
>>
>> -Rob
>>
>>
>
>

Re: Proposal: ooo-announce list

[TJ Frazier <tj...@cfl.rr.com>]

+1 in general; quibbles in-line.

On 12/11/2011 13:20, Rob Weir wrote:
> I see that many other projects have an official announce list.  This
> would be used for official public communications:
>
> 1) New releases
>
> 2) New services
>
> 3) New blog posts

Unnecessary. Interested parties will track these themselves.
>
> 4) Security patches

Redundant. We should have a release ready with the fix, which will be 
announced. --/tj/
>
> 5) Expected downtime
>
> 6) Migration updates
>
> The idea would be for it to be low-volume but with high membership.
> If possible via ezmlm, it would be a read-only list except for
> moderators.  Content for posting would first be discussed and approved
> on ooo-dev before going out on the announce list.
>
> Some might say that we could just do this via existing ooo-dev or
> ooo-user lists, but the higher traffic on those lists is too much for
> someone who wants only the most important notices.
>
> If we do have an optional registration screen in the 3.4 install,
> maybe this is the list we offer to sign users up for.
>
> If there are no objections to this list, I'll need a few things:
>
> 1) Verification that such a read-only list is possible
>
> 2) A few moderator volunteers -- noting that the moderator role in
> this case is more of an assist to help publish PPMC-approved content
> to the list.
>
> -Rob
>
>

Re: Proposal: ooo-announce list

[drew <dr...@baseanswers.com>]

On Mon, 2011-12-12 at 16:52 -0500, Rob Weir wrote:
> On Sun, Dec 11, 2011 at 1:20 PM, Rob Weir <ro...@apache.org> wrote:
> > I see that many other projects have an official announce list.  This
> > would be used for official public communications:
> >
> 
> https://issues.apache.org/jira/browse/INFRA-4207

Excellent.

I just wanted to come back to one item - interfacing the Blog.

I think you came it from the case of making posts to the announce list
about bog postings and that was seen as redundant - I agree in that
scenario - but - what I do think does make sense is that when something
is worthy to go out on the announce ML then a copy of the content (minus
any ML adornments [footer lines, etc] of course) should go as a post to
the blog.

I suspect that could be automated fairly easily, but even if not then
it's not that large a burden for someone to just take the task of
posting the content to the blog.

Best wishes,

//drew

> 
> -Rob
> 

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 1:20 PM, Rob Weir <ro...@apache.org> wrote:
> I see that many other projects have an official announce list.  This
> would be used for official public communications:
>

https://issues.apache.org/jira/browse/INFRA-4207

-Rob

Re: Proposal: ooo-announce list

[Rob Weir <ro...@apache.org>]

On Sun, Dec 11, 2011 at 1:38 PM, imacat <im...@mail.imacat.idv.tw> wrote:
> On 2011/12/12 02:20, Rob Weir said:
>> I see that many other projects have an official announce list.  This
>> would be used for official public communications:
>
>    This is a great idea.  In fact, this is the right way to do.
>
>> 3) New blog posts
>
>    I think this should be reconsidered.  What kind of blog posts will
> we send?
>

I don't think we would post the actual blog post, but maybe a link to
each new blog post.  This would be the project's blog, not personal
blogs:

http://blogs.apache.org/OOo/

>> 2) A few moderator volunteers -- noting that the moderator role in
>> this case is more of an assist to help publish PPMC-approved content
>> to the list.
>
>    If it is OK I would like to volunteer for this.
>
>    Besides, shouldn't that list be aoo-announce instead of ooo-announce?
>
>    (Actually, the same goes for aoo-users and aoo-dev?)
>

When we graduate the name probably becomes dev@openoffice.apache.org,
announce@openoffice.apache.org, etc.

> --
> Best regards,
> imacat ^_*' <im...@mail.imacat.idv.tw>
> PGP Key http://www.imacat.idv.tw/me/pgpkey.asc
>
> <<Woman's Voice>> News: http://www.wov.idv.tw/
> Tavern IMACAT's http://www.imacat.idv.tw/
> Woman in FOSS in Taiwan http://wofoss.blogspot.com/
> OpenOffice.org http://www.openoffice.org/
> EducOO/OOo4Kids Taiwan http://www.educoo.tw/
>

Re: Proposal: ooo-announce list

[imacat <im...@mail.imacat.idv.tw>]

On 2011/12/12 02:20, Rob Weir said:
> I see that many other projects have an official announce list.  This
> would be used for official public communications:

    This is a great idea.  In fact, this is the right way to do.

> 3) New blog posts

    I think this should be reconsidered.  What kind of blog posts will
we send?

> 2) A few moderator volunteers -- noting that the moderator role in
> this case is more of an assist to help publish PPMC-approved content
> to the list.

    If it is OK I would like to volunteer for this.

    Besides, shouldn't that list be aoo-announce instead of ooo-announce?

    (Actually, the same goes for aoo-users and aoo-dev?)

-- 
Best regards,
imacat ^_*' <im...@mail.imacat.idv.tw>
PGP Key http://www.imacat.idv.tw/me/pgpkey.asc

<<Woman's Voice>> News: http://www.wov.idv.tw/
Tavern IMACAT's http://www.imacat.idv.tw/
Woman in FOSS in Taiwan http://wofoss.blogspot.com/
OpenOffice.org http://www.openoffice.org/
EducOO/OOo4Kids Taiwan http://www.educoo.tw/