You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Michael Meeks <mi...@suse.com> on 2011/11/29 13:17:23 UTC
Re: Neutral / shared security list ...
So,
On Tue, 2011-10-25 at 13:00 -0700, Dave Fisher wrote:
> > On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
> >> I think we are getting somewhere. The last detail is which is the real ML
> >> and which is the forwarder. While the AOOo project might prefer to have
> >
> > Fair point - for ultra-fairness we should perhaps publish two
> > forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
> > both pointing at the neutrally hosted list.
So - a quick round up of where we have (not) got here. A month later,
we still have a non-neutrally hosted Apache controlled list, hosted
under Apache's domain, with only AOOI members controlling it's
membership, and an incomplete (from the TDF perspective) membership
list.
Since there is (apparently) no action here at all, and the most
sensible & friendly options have been exhausted - eg. to have
cross-membership on each other's lists; I've finally got around to
setting up:
officesecurity@lists.freedesktop.org
It is intended as a vendor neutral, neutrally hosted list for reporting
security vulnerabilities.
Dennis Hamilton agreed to be an administrator; it'd be great to get
another administrator or two from the pool people involved in security
to administrate it from the Apache side, and/or any interested
derivatives. I plan to populate it with the tdf-security membership in a
bit.
It'd also be nice to have a list of guys from your side to subscribe to
it, and/or otherwise (in the meantime) perhaps we should add
ooo-security@incubator.apache.org to be on the safe side.
All the best,
Michael.
--
michael.meeks@suse.com <><, Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
Posted by Raphael Bircher <r....@gmx.ch>.
Am 29.11.11 14:31, schrieb Wolf Halton:
> On Tue, Nov 29, 2011 at 7:49 AM, Simon Phipps<si...@webmink.com> wrote:
>
>> On 29 Nov 2011, at 12:17, Michael Meeks wrote:
>>> I've finally got around to setting up:
>>>
>>> officesecurity@lists.freedesktop.org
>>>
>>> It is intended as a vendor neutral, neutrally hosted list for reporting
>> security vulnerabilities.
>>
>>
>> Thanks, Michael, it's good to see positive action on this.
>>
>> S.
>>
>> This is a project constellation which has attracted some strong
> partisanship. I would like to see some of the infighting stop. All it
> really does is splinter natural allies. Everybody has personal or
> professional reasons for what they do. Are we not mature enough to focus
> on the mutual thriving health of AOO, LO, or any Star office deriv.
>
For LO Point of view for sure not. Because we will have our own program
packages and this packages does automaticly compeete with LO
--
My private Homepage: http://www.raphaelbircher.ch/
Re: Neutral / shared security list ...
Posted by Wolf Halton <wo...@gmail.com>.
On Tue, Nov 29, 2011 at 7:49 AM, Simon Phipps <si...@webmink.com> wrote:
>
> On 29 Nov 2011, at 12:17, Michael Meeks wrote:
> > I've finally got around to setting up:
> >
> > officesecurity@lists.freedesktop.org
> >
> > It is intended as a vendor neutral, neutrally hosted list for reporting
> security vulnerabilities.
>
>
> Thanks, Michael, it's good to see positive action on this.
>
> S.
>
> This is a project constellation which has attracted some strong
partisanship. I would like to see some of the infighting stop. All it
really does is splinter natural allies. Everybody has personal or
professional reasons for what they do. Are we not mature enough to focus
on the mutual thriving health of AOO, LO, or any Star office deriv.
--
This Apt Has Super Cow Powers - http://sourcefreedom.com
Advancing Libraries Together - http://LYRASIS.org
Re: Neutral / shared security list ...
Posted by Simon Phipps <si...@webmink.com>.
On 29 Nov 2011, at 12:17, Michael Meeks wrote:
> I've finally got around to setting up:
>
> officesecurity@lists.freedesktop.org
>
> It is intended as a vendor neutral, neutrally hosted list for reporting security vulnerabilities.
Thanks, Michael, it's good to see positive action on this.
S.
Re: Neutral / shared security list ...
Posted by Michael Meeks <mi...@suse.com>.
Rob,
On Tue, 2011-11-29 at 07:37 -0500, Rob Weir wrote:
> Just to be clear. No discussion of this new list has taken place on
> ooo-dev or ooo-private.
You did read this thread ? it was discussed, inconclusively at length,
and the unhappiness with the status quo articulated quite clearly, that
was around a month ago. Finally I got around to doing something about it
- much as was outlined.
> You have acted unilaterally in this regard. Dennis is not representing
> Apache or this project in this matter. In fact he is not even a
> participant on the ooo-security or securityteam list.
Sounds like he is a neutral sort of guy then; he has posted useful
things to the TDF security list in the past, and seems entirely suitable
as a neutral moderator. Since I tend to think that getting the poles
into the same boat can help - would you like to be an admin to ensure
balance, or does IBM have someone working on security topics that would
be a better fit ?
> > It'd also be nice to have a list of guys from your side
>> to subscribe to it, and/or otherwise (in the meantime) perhaps
>> we should add ooo-security@incubator.apache.org to be on the
>> safe side.
>
> Since Dennis has already leaked the subscriber list for the
> securityteam mailing list to you, I assume you are all set now?
He has ?
One thing that would really help me in future (and I know it's a lot to
ask) would be if you could (somehow) in your mails clearly separate
facts you can vouch for, from un-substantiated conjecture stated as
fact.
But of course, I'll go and comb through my spam filter.
Regards,
Michael.
--
michael.meeks@suse.com <><, Pseudo Engineer, itinerant idiot
Re: Neutral / shared security list ...
Posted by Rob Weir <ro...@apache.org>.
On Tue, Nov 29, 2011 at 7:17 AM, Michael Meeks <mi...@suse.com> wrote:
> So,
>
> On Tue, 2011-10-25 at 13:00 -0700, Dave Fisher wrote:
>> > On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
>> >> I think we are getting somewhere. The last detail is which is the real ML
>> >> and which is the forwarder. While the AOOo project might prefer to have
>> >
>> > Fair point - for ultra-fairness we should perhaps publish two
>> > forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
>> > both pointing at the neutrally hosted list.
>
> So - a quick round up of where we have (not) got here. A month later,
> we still have a non-neutrally hosted Apache controlled list, hosted
> under Apache's domain, with only AOOI members controlling it's
> membership, and an incomplete (from the TDF perspective) membership
> list.
>
> Since there is (apparently) no action here at all, and the most
> sensible & friendly options have been exhausted - eg. to have
> cross-membership on each other's lists; I've finally got around to
> setting up:
>
> officesecurity@lists.freedesktop.org
>
> It is intended as a vendor neutral, neutrally hosted list for reporting
> security vulnerabilities.
>
> Dennis Hamilton agreed to be an administrator; it'd be great to get
> another administrator or two from the pool people involved in security
> to administrate it from the Apache side, and/or any interested
> derivatives. I plan to populate it with the tdf-security membership in a
> bit.
>
Just to be clear. No discussion of this new list has taken place on
ooo-dev or ooo-private. You have acted unilaterally in this regard.
Dennis is not representing Apache or this project in this matter. In
fact he is not even a participant on the ooo-security or securityteam
list.
> It'd also be nice to have a list of guys from your side to subscribe to
> it, and/or otherwise (in the meantime) perhaps we should add
> ooo-security@incubator.apache.org to be on the safe side.
>
Since Dennis has already leaked the subscriber list for the
securityteam mailing list to you, I assume you are all set now?
> All the best,
>
> Michael.
>
> --
> michael.meeks@suse.com <><, Pseudo Engineer, itinerant idiot
>
Re: Neutral / shared security list ...
Posted by Dave Fisher <da...@comcast.net>.
Hi Michael,
While some might have hoped for another proposal and discussion prior to action, thank you for going ahead where there was clearly no consensus for specific action on the AOO side.
On Nov 29, 2011, at 4:17 AM, Michael Meeks wrote:
> So,
>
> On Tue, 2011-10-25 at 13:00 -0700, Dave Fisher wrote:
>>> On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
>>>> I think we are getting somewhere. The last detail is which is the real ML
>>>> and which is the forwarder. While the AOOo project might prefer to have
>>>
>>> Fair point - for ultra-fairness we should perhaps publish two
>>> forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
>>> both pointing at the neutrally hosted list.
>
> So - a quick round up of where we have (not) got here. A month later,
> we still have a non-neutrally hosted Apache controlled list, hosted
> under Apache's domain, with only AOOI members controlling it's
> membership, and an incomplete (from the TDF perspective) membership
> list.
>
> Since there is (apparently) no action here at all, and the most
> sensible & friendly options have been exhausted - eg. to have
> cross-membership on each other's lists; I've finally got around to
> setting up:
>
> officesecurity@lists.freedesktop.org
>
> It is intended as a vendor neutral, neutrally hosted list for reporting
> security vulnerabilities.
>
> Dennis Hamilton agreed to be an administrator; it'd be great to get
> another administrator or two from the pool people involved in security
> to administrate it from the Apache side, and/or any interested
> derivatives. I plan to populate it with the tdf-security membership in a
> bit.
Dennis is a good choice. On these lists he is often focused on security.
>
> It'd also be nice to have a list of guys from your side to subscribe to
> it, and/or otherwise (in the meantime) perhaps we should add
> ooo-security@incubator.apache.org to be on the safe side.
I think that would be best.
I hope for a future time when the TDF will consider openoffice.org to be neutral. I have no energy to argue that case. At the risk of an English colloquialism - "the proof is in the pudding".
We have a lot with IP Clearance, Builds, OOo migration, TOOo proposal, and N-L groups.
Best Regards,
Dave
>
> All the best,
>
> Michael.
>
> --
> michael.meeks@suse.com <><, Pseudo Engineer, itinerant idiot
>