[DISCUSS] Creation of ooo-security List

["Dennis E. Hamilton" <or...@apache.org>]

[I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]

PROPOSAL

ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.

DETAILS

General information about the Apache Security Team:
<http://www.apache.org/security/>

More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
<http://www.apache.org/security/committers.html>

Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.

BACKGROUND  

I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.

I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.

Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.

 - Dennis

Re: [DISCUSS] Creation of ooo-security List

[Wolf Halton <wo...@gmail.com>]

In some ways, the larger the security group, the quicker the solution rate.
Security patched will need to be checked before they are committed, so the
issue fixed doesn't break 3 other parts of the code.


On Wed, Jul 6, 2011 at 6:54 PM, Daniel Shahaf <d....@daniel.shahaf.name>wrote:

> Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700:
> > I've learned that the Apache approach is for each PMC taking the lead
> > in handling security matters related to its releases.  To maintain the
> > security of security matters, the practice is to have a private list
> > (for us, ooo-security) with not more than ten security-aware
> > subscribers.
>
> I've never heard of a magic number cap to the # of subscribers of
> a mailing list.
>



-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com

Re: [DISCUSS] Creation of ooo-security List

[Mathias Bauer <Ma...@gmx.net>]

On 07.07.2011 02:21, Greg Stein wrote:

> I don't believe that we need our own security address since I doubt
> we'll have that many *incoming* issues. Those reports can go to
> security@apache.org, and that team will forward them to the PPMC.
"Many" is a quantity that is hard to compare with ;-). From past
experience it seems that the number of incoming issues increased in the
last years. Not because our code became worse, but because more people
looked for security holes systematically.

Besides that, I tend to agree that we shouldn't start with an own
security list before we are sure that the Apache list can't handle the
number of incoming issues.

Regards,
Mathias

Re: [DISCUSS] Creation of ooo-security List

[Greg Stein <gs...@gmail.com>]

Apache Subversion used to have its own security mailing list before it
came to the Apache Software Foundation. We decided that the *influx*
of security problems was low enough that we left that mailing list
behind. Today, we rely entirely on security@apache.org for external
entities to report problems[1].

Note that there are two purposes for security@apache.org:

1) external users report problems here
2) it is the Apache Security Team, and is used to contact them and to
keep them in the discussion loop.

On the page you referenced[2], all of the steps talk about the
"project team". That is not a subset of the PMC. That *is* the PMC.
The entire PMC is responsible for the project.

As an example, the Apache Subversion project manages the entire
response to a problem on private@subversion.a.o, keeping
security@apache.org cc'd on the discussion. We produce the patch, get
it tested, and use our private repository to develop the CVE text
(after we request CVE(s) from the security@ folks)

private@subversion.a.o has several dozen people on it. Probably more.

One key is to ensure that the people on the (P)PMC list understand
what the security response protocol looks like. They need to
understand that we keep it private until the vulnerability is ready
for disclosure. That disclosure typically includes CVE notices, and it
includes a pre-notification to a list of people (we keep that list in
svn, too, along with a script to send them the notification). Anybody
that we feel has an interest and impact in hearing about svn
vulnerabilities is asked (eg. packagers and big hosting companies).

Once the Apache OO.o PPMC has a solid understanding, or at least a
solid agreement in *confidentiality*, then security issues can be
handled on ooo-private@incubator.a.o.

I don't believe that we need our own security address since I doubt
we'll have that many *incoming* issues. Those reports can go to
security@apache.org, and that team will forward them to the PPMC.

Cheers,
-g

[1] http://subversion.apache.org/security/
[2] http://www.apache.org/security/committers.html

On Wed, Jul 6, 2011 at 19:50, Dennis E. Hamilton
<de...@acm.org> wrote:
> I'm assuming the goal is to keep the analysis and discussion of alleged vulnerabilities to a relatively small need-to-know group.
>
> I don't know that 10 is a hard number, I heard it as a suggestion when I asked around about how this works at Apache.  Do you know typical sizes for security@project lists?
>
>  - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Wednesday, July 06, 2011 15:54
> To: OOo-dev Apache Incubator
> Subject: Re: [DISCUSS] Creation of ooo-security List
>
> Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700:
>> I've learned that the Apache approach is for each PMC taking the lead
>> in handling security matters related to its releases.  To maintain the
>> security of security matters, the practice is to have a private list
>> (for us, ooo-security) with not more than ten security-aware
>> subscribers.
>
> I've never heard of a magic number cap to the # of subscribers of
> a mailing list.
>
>

RE: [DISCUSS] Creation of ooo-security List

["Dennis E. Hamilton" <de...@acm.org>]

I'm assuming the goal is to keep the analysis and discussion of alleged vulnerabilities to a relatively small need-to-know group.  

I don't know that 10 is a hard number, I heard it as a suggestion when I asked around about how this works at Apache.  Do you know typical sizes for security@project lists?

 - Dennis

-----Original Message-----
From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name] 
Sent: Wednesday, July 06, 2011 15:54
To: OOo-dev Apache Incubator
Subject: Re: [DISCUSS] Creation of ooo-security List

Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700:
> I've learned that the Apache approach is for each PMC taking the lead
> in handling security matters related to its releases.  To maintain the
> security of security matters, the practice is to have a private list
> (for us, ooo-security) with not more than ten security-aware
> subscribers.

I've never heard of a magic number cap to the # of subscribers of
a mailing list.

Re: [DISCUSS] Creation of ooo-security List

[Daniel Shahaf <d....@daniel.shahaf.name>]

Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700:
> I've learned that the Apache approach is for each PMC taking the lead
> in handling security matters related to its releases.  To maintain the
> security of security matters, the practice is to have a private list
> (for us, ooo-security) with not more than ten security-aware
> subscribers.

I've never heard of a magic number cap to the # of subscribers of
a mailing list.

Re: [DISCUSS] Creation of ooo-security List

[Greg Stein <gs...@gmail.com>]

On Wed, Jul 6, 2011 at 18:35, Dennis E. Hamilton
<de...@acm.org> wrote:
> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?
>
> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).
>
> I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.

We can get guidance from the Apache Security Team on this. I suspect
they would concur: work with the development/security teams of people
development forks of OOo. Downstream users would presumably get a
standard pre-notification email.

>...
> I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.

The best answer is to ask Security for advice here. There is an
industry-standard approach to this kind of notification.

> To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")

Start with security@apache.org, and go from there.

Cheers,
-g

Re: [DISCUSS] Creation of ooo-security List

[Daniel Shahaf <d....@daniel.shahaf.name>]

Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 15:35:46 -0700:
> To make this conversation concrete: I have security issues I want to
> raise, which is what had me looking into this in the first place.

Then please report them to security@a.o and/or ooo-private@.

RE: [DISCUSS] Creation of ooo-security List

["Dennis E. Hamilton" <de...@acm.org>]

I didn't say there were no other mutual stakeholders.  I mentioned one whose security list I knew about already.  It does raise interesting questions for when concerted action is desirable though.

I am not confusing security fixes with other fixes.  However, slip-streaming some easy things is clearly an opportunity at LO at the moment.  I can imagine some changes not even being announced as security fixes.  I don't know about slip-streaming at IBM, RedOffice, Oracle, Microsoft, etc.

 - Dennis

-----Original Message-----
From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
Sent: Wednesday, July 06, 2011 16:10
To: ooo-dev@incubator.apache.org; dennis.hamilton@acm.org
Subject: Re: [DISCUSS] Creation of ooo-security List

On Wed, Jul 6, 2011 at 6:35 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?
>

I'm not saying it is not a concern.  I'm saying if you think it is a
concern, then get on with it and report the concern.

> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).
>
> I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.
>

And IBM and RedOffice and Oracle doesn't have products in use based on
this same code?  And they don't have people who work with security?  I
question your definition of "mutual stakeholder", especially since our
list of Committers has members from IBM, RedOffice and Oracle, but
none from LibreOffice.

And how often feature releases are "cranked out" is irrelevant to how
quickly a vendor can release a security patch if needed.  You are
mixes two different kinds of releases.

> Also, some security issues may require a jointly-agreed response so that we attend to interoperability concerns, especially if mitigation involves breaking changes or even introduction of allowed extensions (in the context of the ODF specifications).  Anything that fits into a discretionary area requiring producer-consumer agreement to work needs a community to unfold it.
>
> I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.
>

Hopefully this will include the Apache security list at some point.

> To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")
>

The Apache process for handling this is documented and it explicitly
covers the case of reports for a project that does not have a
dedicated security list.

>
>  - Dennis
>
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
>
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>>
>> PROPOSAL
>>
>> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>>
>> DETAILS
>>
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>>
>> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>>
>> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>>
>
> The website already has a "Security" link on the navigation panel, at
> the bottom.  This takes you to the main Apache security page where the
> reporter is instructed on how to submit reports.  According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list.  So I don't see the urgency on creating a new
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo.  I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
>
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a  good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies.  Or at least the chances of that would be diminished.  But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
>
>
>> BACKGROUND
>>
>> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>>
>> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>>
>> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>>
>
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
>
>>  - Dennis
>>
>>
>
>

Re: [DISCUSS] Creation of ooo-security List

[Rob Weir <ap...@robweir.com>]

On Wed, Jul 6, 2011 at 6:35 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?
>

I'm not saying it is not a concern.  I'm saying if you think it is a
concern, then get on with it and report the concern.

> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).
>
> I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.
>

And IBM and RedOffice and Oracle doesn't have products in use based on
this same code?  And they don't have people who work with security?  I
question your definition of "mutual stakeholder", especially since our
list of Committers has members from IBM, RedOffice and Oracle, but
none from LibreOffice.

And how often feature releases are "cranked out" is irrelevant to how
quickly a vendor can release a security patch if needed.  You are
mixes two different kinds of releases.

> Also, some security issues may require a jointly-agreed response so that we attend to interoperability concerns, especially if mitigation involves breaking changes or even introduction of allowed extensions (in the context of the ODF specifications).  Anything that fits into a discretionary area requiring producer-consumer agreement to work needs a community to unfold it.
>
> I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.
>

Hopefully this will include the Apache security list at some point.

> To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")
>

The Apache process for handling this is documented and it explicitly
covers the case of reports for a project that does not have a
dedicated security list.

>
>  - Dennis
>
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
>
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>>
>> PROPOSAL
>>
>> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>>
>> DETAILS
>>
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>>
>> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>>
>> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>>
>
> The website already has a "Security" link on the navigation panel, at
> the bottom.  This takes you to the main Apache security page where the
> reporter is instructed on how to submit reports.  According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list.  So I don't see the urgency on creating a new
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo.  I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
>
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a  good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies.  Or at least the chances of that would be diminished.  But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
>
>
>> BACKGROUND
>>
>> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>>
>> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>>
>> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>>
>
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
>
>>  - Dennis
>>
>>
>
>

RE: [DISCUSS] Creation of ooo-security List

["Dennis E. Hamilton" <de...@acm.org>]

I thought the way security-related patches and releases are to be handled is spelled out clearly enough in the two web pages I linked to.

I suppose we know that an ooo-security@i.a.o is working when security fixes show up.  There is every reason to cloak such an operation in stealth and not announce anything about submissions received, work in progress, etc., until a vulnerability is addressed in public.

I am raising my particular concerns with security@ and the apparent equivalent at The Document Foundation.  Depending on what the gating rules are for submissions to those lists, I am not sure when and what I might hear back.  

 - Dennis
  
-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net] 
Sent: Wednesday, July 06, 2011 15:52
To: ooo-dev@incubator.apache.org
Subject: Re: [DISCUSS] Creation of ooo-security List

Hi Dennis,

I appreciate your concerns. Have you raised them at security@apache.org yet?

If the security@apache.org list suggests that the AOOo PPMC request a security mailing list now then we should go ahead. We would need the right volunteers to handle any concerns.

Perhaps it will turn out that there are some of individuals involved in all of AOOo, LibreOffice and Security that can informally handle the multiple "hats". That might avoid a formal arrangement. But maybe a formal agreement would be good.

I think that if we do have a security list that they will need to give nonspecific information so that the community can sense that issues are being solved. We may very well need to eventually have a security patch schedule that is not too frantic. (Firefox 5 or bust, corporations can just have their IE)

Regards,
Dave

On Jul 6, 2011, at 3:35 PM, Dennis E. Hamilton wrote:

> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?
> 
> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).
> 
> I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.  
> 
> Also, some security issues may require a jointly-agreed response so that we attend to interoperability concerns, especially if mitigation involves breaking changes or even introduction of allowed extensions (in the context of the ODF specifications).  Anything that fits into a discretionary area requiring producer-consumer agreement to work needs a community to unfold it.
> 
> I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.
> 
> To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")
> 
> 
> - Dennis 
> 
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
> 
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>> 
>> PROPOSAL
>> 
>> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>> 
>> DETAILS
>> 
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>> 
>> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>> 
>> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>> 
> 
> The website already has a "Security" link on the navigation panel, at
> the bottom.  This takes you to the main Apache security page where the
> reporter is instructed on how to submit reports.  According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list.  So I don't see the urgency on creating a new
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo.  I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
> 
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a  good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies.  Or at least the chances of that would be diminished.  But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
> 
> 
>> BACKGROUND
>> 
>> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>> 
>> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>> 
>> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>> 
> 
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
> 
>> - Dennis
>> 
>> 
> 

Re: [DISCUSS] Creation of ooo-security List

[Dave Fisher <da...@comcast.net>]

Hi Dennis,

I appreciate your concerns. Have you raised them at security@apache.org yet?

If the security@apache.org list suggests that the AOOo PPMC request a security mailing list now then we should go ahead. We would need the right volunteers to handle any concerns.

Perhaps it will turn out that there are some of individuals involved in all of AOOo, LibreOffice and Security that can informally handle the multiple "hats". That might avoid a formal arrangement. But maybe a formal agreement would be good.

I think that if we do have a security list that they will need to give nonspecific information so that the community can sense that issues are being solved. We may very well need to eventually have a security patch schedule that is not too frantic. (Firefox 5 or bust, corporations can just have their IE)

Regards,
Dave

On Jul 6, 2011, at 3:35 PM, Dennis E. Hamilton wrote:

> Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?
> 
> Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).
> 
> I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.  
> 
> Also, some security issues may require a jointly-agreed response so that we attend to interoperability concerns, especially if mitigation involves breaking changes or even introduction of allowed extensions (in the context of the ODF specifications).  Anything that fits into a discretionary area requiring producer-consumer agreement to work needs a community to unfold it.
> 
> I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.
> 
> To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")
> 
> 
> - Dennis 
> 
> -----Original Message-----
> From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
> Sent: Wednesday, July 06, 2011 14:40
> To: ooo-dev@incubator.apache.org
> Subject: Re: [DISCUSS] Creation of ooo-security List
> 
> On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
>> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>> 
>> PROPOSAL
>> 
>> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>> 
>> DETAILS
>> 
>> General information about the Apache Security Team:
>> <http://www.apache.org/security/>
>> 
>> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
>> <http://www.apache.org/security/committers.html>
>> 
>> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>> 
> 
> The website already has a "Security" link on the navigation panel, at
> the bottom.  This takes you to the main Apache security page where the
> reporter is instructed on how to submit reports.  According to that
> page, security reports are routed to the PMC in case we do not have a
> dedicated security list.  So I don't see the urgency on creating a new
> list or a new web page, especially since we don't even have code in
> the repository, let alone a release, and since there already is a
> security list and contact address at OOo.  I think that the existing
> procedures, in place at Apache, are adequate if someone wanted to
> report a problem
> 
> The idea of having the discussion in private, on the PMC private list
> or on a private security list, is a  good idea, so that any
> vulnerability reported would not be immediately exploited by script
> kiddies.  Or at least the chances of that would be diminished.  But I
> don't think that any of the PPMC members are malicious hackers likely
> to abuse any security sensitive information shared on the PPMC list.
> Of course, only a subset of the members have security expertise.
> 
> 
>> BACKGROUND
>> 
>> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>> 
>> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>> 
>> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>> 
> 
> I'd object to us officially sharing advance security-related
> information with some downstream consumers of OOo while not doing the
> same with others.
> 
>> - Dennis
>> 
>> 
> 

RE: [DISCUSS] Creation of ooo-security List

["Dennis E. Hamilton" <de...@acm.org>]

Well, vulnerabilities are vulnerabilities and if there is an exposure in current code or in documents produced in current code, isn't that a concern for us now?  Why would it not be?

Also, I don't presume that everyone is downstream from us (as opposed to the OpenOffice.org that once was).

I think of LibreOffice as a mutual stakeholder because it seems they have a security team too and like it or not, they are cranking out releases very quickly and may be able to provide mitigations, hypothetically, months before we ever get a release of ours out the door.  

Also, some security issues may require a jointly-agreed response so that we attend to interoperability concerns, especially if mitigation involves breaking changes or even introduction of allowed extensions (in the context of the ODF specifications).  Anything that fits into a discretionary area requiring producer-consumer agreement to work needs a community to unfold it.

I don't know about the details of having that work.  I do know if I uncover a problem, I am going to communicate it to every security-conscious entity I can.

To make this conversation concrete: I have security issues I want to raise, which is what had me looking into this in the first place.  I would like to do this in a manner that is in keeping with concerns for dealing with security matters privately to ensure that there is competent review and no danger attached to premature disclosure.  (I suspect not, because the vulnerabilities I am aware of exist in plain sight, but I want the counsel of someone having more security experience than I before saying, "Heck, I need something for today's blog post, why not stir things up with this?")


 - Dennis 

-----Original Message-----
From: rabastus@gmail.com [mailto:rabastus@gmail.com] On Behalf Of Rob Weir
Sent: Wednesday, July 06, 2011 14:40
To: ooo-dev@incubator.apache.org
Subject: Re: [DISCUSS] Creation of ooo-security List

On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>
> PROPOSAL
>
> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>
> DETAILS
>
> General information about the Apache Security Team:
> <http://www.apache.org/security/>
>
> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
> <http://www.apache.org/security/committers.html>
>
> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>

The website already has a "Security" link on the navigation panel, at
the bottom.  This takes you to the main Apache security page where the
reporter is instructed on how to submit reports.  According to that
page, security reports are routed to the PMC in case we do not have a
dedicated security list.  So I don't see the urgency on creating a new
list or a new web page, especially since we don't even have code in
the repository, let alone a release, and since there already is a
security list and contact address at OOo.  I think that the existing
procedures, in place at Apache, are adequate if someone wanted to
report a problem

The idea of having the discussion in private, on the PMC private list
or on a private security list, is a  good idea, so that any
vulnerability reported would not be immediately exploited by script
kiddies.  Or at least the chances of that would be diminished.  But I
don't think that any of the PPMC members are malicious hackers likely
to abuse any security sensitive information shared on the PPMC list.
Of course, only a subset of the members have security expertise.


> BACKGROUND
>
> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>
> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>
> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>

I'd object to us officially sharing advance security-related
information with some downstream consumers of OOo while not doing the
same with others.

>  - Dennis
>
>

Re: [DISCUSS] Creation of ooo-security List

[Rob Weir <ap...@robweir.com>]

On Wed, Jul 6, 2011 at 3:02 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> [I am reminded that the best way to talk to the PPMC is on ooo-dev and there is benefit in so doing.  Here goes.]
>
> PROPOSAL
>
> ooo-security@incubator.a.o be set up as a private list and a selection of not more than 10 security-aware PPMC members be subscribed to it.  We need to work out what the composition would be.  The list will be automatically forward to security@a.o.  I assume that there might be security-aware ooo-podling mentors and other ASF Members included in the small PPMC subscription.
>
> DETAILS
>
> General information about the Apache Security Team:
> <http://www.apache.org/security/>
>
> More details on the handling of security and vulnerabilities by committers and the role of the [P]PMC:
> <http://www.apache.org/security/committers.html>
>
> Note that creation of a security page on our web site is also part of this.  That should happen near-immediately also.
>

The website already has a "Security" link on the navigation panel, at
the bottom.  This takes you to the main Apache security page where the
reporter is instructed on how to submit reports.  According to that
page, security reports are routed to the PMC in case we do not have a
dedicated security list.  So I don't see the urgency on creating a new
list or a new web page, especially since we don't even have code in
the repository, let alone a release, and since there already is a
security list and contact address at OOo.  I think that the existing
procedures, in place at Apache, are adequate if someone wanted to
report a problem

The idea of having the discussion in private, on the PMC private list
or on a private security list, is a  good idea, so that any
vulnerability reported would not be immediately exploited by script
kiddies.  Or at least the chances of that would be diminished.  But I
don't think that any of the PPMC members are malicious hackers likely
to abuse any security sensitive information shared on the PPMC list.
Of course, only a subset of the members have security expertise.


> BACKGROUND
>
> I have been nosing around in document-related security areas and that has led me to inquire what the arrangements need to be for discussing security issues, identified vulnerabilities, proposed mitigations, etc.
>
> I've learned that the Apache approach is for each PMC taking the lead in handling security matters related to its releases.  To maintain the security of security matters, the practice is to have a private list (for us, ooo-security) with not more than ten security-aware subscribers.
>
> Since we may have "common-mode" issues with respect to the use of our common code base and implementation behaviors, it may be necessary to coordinate with other teams, including the LibreOffice security team, in our case.  We'll have to work that out on an individual-case basis, I suspect.  I don't know if we have any PPMC members who are also on that team, and I don't know what the structure was for OpenOffice.org and who may have been involved.
>

I'd object to us officially sharing advance security-related
information with some downstream consumers of OOo while not doing the
same with others.

>  - Dennis
>
>