You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by "Dennis E. Hamilton" <or...@apache.org> on 2011/07/29 22:28:01 UTC
Operating ooo-security (was RE: Population of ooo-security)
We are in a very fledgling situation here. Let's see if we can clear up a few things.
Here is my understanding of the situation as it exists at the moment.
- Dennis
1. The ooo-security@i.a.o list is private and moderated. Anyone can send a message to the list. The three current moderators of the list share responsibility for allowing a post onto the list or not. Anyone can also attempt to subscribe to the list. Once the requester completes the e-mail verification ceremony, the request is submitted for approval by the moderators. In this case, the way the moderators decline is by doing nothing.
2. It is the PPMC that is entirely responsible for handling the mitigation of security issues, including undisclosed exploits. No one else. That means it is the PPMC that would authorize a patch. If, for some reason, any non-Apache-committer submitted a patch, it would presumably be treated the same as any patch submission on ooo-dev, apart from the additional secrecy of the activity until the mitigation is in place.
However, there are many activities that go into the assessment of a security issue and the analysis of potential mitigation approaches. They might never involve the actual creation of code or patches.
3. It is the PPMC, as part of its responsibilities, with the advice (and consent?) of security@a.o, that determines how the ooo-security@i.a.o list is managed and who serves on it.
4. Perhaps we should look at the ooo-security@i.a.o list subscribers as strictly advisory to the PPMC. The subscribers would have the specific charge of handling the inputs that are accepted as bona fide security matters with appropriate sensitivity. We need to be careful to operate within the norms for dealing with undisclosed vulnerabilities and prospective exploits and maintaining the security of all preparations and ooo-security@i.a.o are the shepherds for this, let's say. We don't quite know how this will work out in practice and how much the ooo-security@i.a.o subscribers will work things out before engaging the PPMC as a whole.
In none of this do I see a requirement for a committer, or even PPMC membership for someone who is subscribed to the list for purposes of supporting the coordination with others who need to be responders (as in a multi-alarm fire), and reciprocally, since anyone might be the "first responder." Requiring an iCLA I can understand, with regard to IP matters that might arise, although that might be more symbolic than essential. But if the practice is to require PPMC members, then that is what we should do. The current subscribers are all PPMC members.
Although I favor a more ecumenical arrangement than we are putting in place, we can of course make it work without that. We can provide liaison already with the small ooo-security@i.a.o subscriber list that we have now. That will be necessarily selective, and it is not clear what agreement needs to be reached before any external entities are engaged. We'll have to figure that out.
We can also create the arrangements that Rob Weir proposes for having an alert mechanism and having a PPMC-maintained (private) list of contacts both for alerts and for experts.
-----Original Message-----
From: Danese Cooper [mailto:danese@gmail.com]
Sent: Friday, July 29, 2011 09:55
To: ooo-dev@incubator.apache.org
Subject: Re: Population of ooo-security
[ ... ]
Only people recognized as committers can "own" the
problem of security for this codebase. It is this way to protect both the
ASF and the codebase.
[ ... ]
I'd propose that we (as a project) decide how best to work with LibreOffice
to identify people who would like to serve as liasons for security. If
indeed nobody wants to sign an iCLA, then we'll gladly subscribe LO to
receive downstream notifications rather than early disclosure of any issues
that arise. That is suboptimal, but until more diplomacy and trust work is
done it may be the best we can do.
[ ... ]
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Rob Weir <ap...@robweir.com>.
On Fri, Jul 29, 2011 at 6:02 PM, Dave Fisher <da...@comcast.net> wrote:
> I just sent in a test email from my work email. Please do not divulge my employer. (Ah these corporate rules ;-)
>
Message arrived, no moderation note.
> Regards,
> Dave
>
> On Jul 29, 2011, at 2:54 PM, Dennis E. Hamilton wrote:
>
>> You're probably right. It is up to the list subscribers to know what to ignore then.
>>
>> We haven't had anything from an unknown sender yet, so we can know for sure.
>>
>> - Dennis
>>
>> -----Original Message-----
>> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
>> Sent: Friday, July 29, 2011 13:42
>> To: ooo-dev@incubator.apache.org
>> Subject: Re: Operating ooo-security (was RE: Population of ooo-security)
>>
>> Dennis E. Hamilton wrote on Fri, Jul 29, 2011 at 13:28:01 -0700:
>>> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>>>
>>> Here is my understanding of the situation as it exists at the moment.
>>>
>>> - Dennis
>>>
>>> 1. The ooo-security@i.a.o list is private and moderated. Anyone can
>>> send a message to the list. The three current moderators of the list
>>> share responsibility for allowing a post onto the list or not.
>>> Anyone can also attempt to subscribe to the list. Once the requester
>>> completes the e-mail verification ceremony, the request is submitted
>>> for approval by the moderators. In this case, the way the moderators
>>> decline is by doing nothing.
>>
>> I thought that security@ lists were moderated for subscription but not
>> for posting.
>>
>
>
RE: Operating ooo-security (was RE: Population of ooo-security)
Posted by "Dennis E. Hamilton" <de...@acm.org>.
It came through on the list without any intervention. Hit my spam list though, so I tuned up my e-mail client to white-list anything addressed to that list.
- Dennis
-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net]
Sent: Friday, July 29, 2011 15:02
To: ooo-dev@incubator.apache.org
Subject: Re: Operating ooo-security (was RE: Population of ooo-security)
I just sent in a test email from my work email. Please do not divulge my employer. (Ah these corporate rules ;-)
Regards,
Dave
On Jul 29, 2011, at 2:54 PM, Dennis E. Hamilton wrote:
> You're probably right. It is up to the list subscribers to know what to ignore then.
>
> We haven't had anything from an unknown sender yet, so we can know for sure.
>
> - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Friday, July 29, 2011 13:42
> To: ooo-dev@incubator.apache.org
> Subject: Re: Operating ooo-security (was RE: Population of ooo-security)
>
> Dennis E. Hamilton wrote on Fri, Jul 29, 2011 at 13:28:01 -0700:
>> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>>
>> Here is my understanding of the situation as it exists at the moment.
>>
>> - Dennis
>>
>> 1. The ooo-security@i.a.o list is private and moderated. Anyone can
>> send a message to the list. The three current moderators of the list
>> share responsibility for allowing a post onto the list or not.
>> Anyone can also attempt to subscribe to the list. Once the requester
>> completes the e-mail verification ceremony, the request is submitted
>> for approval by the moderators. In this case, the way the moderators
>> decline is by doing nothing.
>
> I thought that security@ lists were moderated for subscription but not
> for posting.
>
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Dave Fisher <da...@comcast.net>.
I just sent in a test email from my work email. Please do not divulge my employer. (Ah these corporate rules ;-)
Regards,
Dave
On Jul 29, 2011, at 2:54 PM, Dennis E. Hamilton wrote:
> You're probably right. It is up to the list subscribers to know what to ignore then.
>
> We haven't had anything from an unknown sender yet, so we can know for sure.
>
> - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Friday, July 29, 2011 13:42
> To: ooo-dev@incubator.apache.org
> Subject: Re: Operating ooo-security (was RE: Population of ooo-security)
>
> Dennis E. Hamilton wrote on Fri, Jul 29, 2011 at 13:28:01 -0700:
>> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>>
>> Here is my understanding of the situation as it exists at the moment.
>>
>> - Dennis
>>
>> 1. The ooo-security@i.a.o list is private and moderated. Anyone can
>> send a message to the list. The three current moderators of the list
>> share responsibility for allowing a post onto the list or not.
>> Anyone can also attempt to subscribe to the list. Once the requester
>> completes the e-mail verification ceremony, the request is submitted
>> for approval by the moderators. In this case, the way the moderators
>> decline is by doing nothing.
>
> I thought that security@ lists were moderated for subscription but not
> for posting.
>
RE: Operating ooo-security (was RE: Population of ooo-security)
Posted by "Dennis E. Hamilton" <de...@acm.org>.
You're probably right. It is up to the list subscribers to know what to ignore then.
We haven't had anything from an unknown sender yet, so we can know for sure.
- Dennis
-----Original Message-----
From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
Sent: Friday, July 29, 2011 13:42
To: ooo-dev@incubator.apache.org
Subject: Re: Operating ooo-security (was RE: Population of ooo-security)
Dennis E. Hamilton wrote on Fri, Jul 29, 2011 at 13:28:01 -0700:
> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>
> Here is my understanding of the situation as it exists at the moment.
>
> - Dennis
>
> 1. The ooo-security@i.a.o list is private and moderated. Anyone can
> send a message to the list. The three current moderators of the list
> share responsibility for allowing a post onto the list or not.
> Anyone can also attempt to subscribe to the list. Once the requester
> completes the e-mail verification ceremony, the request is submitted
> for approval by the moderators. In this case, the way the moderators
> decline is by doing nothing.
I thought that security@ lists were moderated for subscription but not
for posting.
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Dennis E. Hamilton wrote on Fri, Jul 29, 2011 at 13:28:01 -0700:
> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>
> Here is my understanding of the situation as it exists at the moment.
>
> - Dennis
>
> 1. The ooo-security@i.a.o list is private and moderated. Anyone can
> send a message to the list. The three current moderators of the list
> share responsibility for allowing a post onto the list or not.
> Anyone can also attempt to subscribe to the list. Once the requester
> completes the e-mail verification ceremony, the request is submitted
> for approval by the moderators. In this case, the way the moderators
> decline is by doing nothing.
I thought that security@ lists were moderated for subscription but not
for posting.
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Rob Weir <ap...@robweir.com>.
On Fri, Jul 29, 2011 at 5:14 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Rob Weir wrote on Fri, Jul 29, 2011 at 16:55:06 -0400:
>> For example, I'm not seeing at any stage where we would bring
>> a summary of a reported vulnerability to the PPMC, even on the private
>> list.
>
> The PPMC could, for example, be on the pre-notification list once the fix
> is done.
>
Excellent point.
-Rob
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Rob Weir wrote on Fri, Jul 29, 2011 at 16:55:06 -0400:
> For example, I'm not seeing at any stage where we would bring
> a summary of a reported vulnerability to the PPMC, even on the private
> list.
The PPMC could, for example, be on the pre-notification list once the fix
is done.
Re: Operating ooo-security (was RE: Population of ooo-security)
Posted by Rob Weir <ap...@robweir.com>.
On Fri, Jul 29, 2011 at 4:28 PM, Dennis E. Hamilton <or...@apache.org> wrote:
> We are in a very fledgling situation here. Let's see if we can clear up a few things.
>
> Here is my understanding of the situation as it exists at the moment.
>
> - Dennis
>
> 1. The ooo-security@i.a.o list is private and moderated. Anyone can send a message to the list. The three current moderators of the list share responsibility for allowing a post onto the list or not. Anyone can also attempt to subscribe to the list. Once the requester completes the e-mail verification ceremony, the request is submitted for approval by the moderators. In this case, the way the moderators decline is by doing nothing.
>
> 2. It is the PPMC that is entirely responsible for handling the mitigation of security issues, including undisclosed exploits. No one else. That means it is the PPMC that would authorize a patch. If, for some reason, any non-Apache-committer submitted a patch, it would presumably be treated the same as any patch submission on ooo-dev, apart from the additional secrecy of the activity until the mitigation is in place.
Reading the process, I'm seeing that the security "project team"
decides if a patch is needed. They authorize it. That's why I said
the security list is acting as "agents" of the PPMC. By agreement
we've decided that it is not best for security to have the entire PPMC
on the security list. So the PPMC has the responsibility and
authority, but cannot effectively exercise it in the absence of
information. So these decisions are effectively delegated to the
security list members.
So I think you are right, but only if we're careful how we distinguish
"responsibility" and "delegated authority".
> However, there are many activities that go into the assessment of a security issue and the analysis of potential mitigation approaches. They might never involve the actual creation of code or patches.
>
> 3. It is the PPMC, as part of its responsibilities, with the advice (and consent?) of security@a.o, that determines how the ooo-security@i.a.o list is managed and who serves on it.
>
> 4. Perhaps we should look at the ooo-security@i.a.o list subscribers as strictly advisory to the PPMC. The subscribers would have the specific charge of handling the inputs that are accepted as bona fide security matters with appropriate sensitivity. We need to be careful to operate within the norms for dealing with undisclosed vulnerabilities and prospective exploits and maintaining the security of all preparations and ooo-security@i.a.o are the shepherds for this, let's say. We don't quite know how this will work out in practice and how much the ooo-security@i.a.o subscribers will work things out before engaging the PPMC as a whole.
>
I'm seeing this as being more than advisory. For example, I'm not
seeing at any stage where we would bring a summary of a reported
vulnerability to the PPMC, even on the private list. The whole reason
for having the ooo-security list in the first place was to avoid
having information broadcast widely, which is what would happen with a
PPMC the size we have today. So I think that ooo-security "owns" the
resolution of reported issues, at least that is how it is described by
this page:
http://www.apache.org/security/committers.html
> In none of this do I see a requirement for a committer, or even PPMC membership for someone who is subscribed to the list for purposes of supporting the coordination with others who need to be responders (as in a multi-alarm fire), and reciprocally, since anyone might be the "first responder." Requiring an iCLA I can understand, with regard to IP matters that might arise, although that might be more symbolic than essential. But if the practice is to require PPMC members, then that is what we should do. The current subscribers are all PPMC members.
>
I'd also note that the subscribers of ooo-security must work well
together with each other and with security.a.o. This is not only a
technical task, but also a social one and involves how we resolve
disagreements, make decisions, etc. This should be done in accordance
with The Apache Way. I think that is important. We also have a
direct interaction (in the general case) with the external 3rd party
who has submitted the report. So we're the "Face of Apache" at that
moment, and that is a serious responsibility. Since we operate in
isolation from the PPMC, for secrecy reasons, we also need the
confidence and trust of the PPMC. And since we are collaborating on a
patch, in secret, I think the iCLA is relevant.
> Although I favor a more ecumenical arrangement than we are putting in place, we can of course make it work without that. We can provide liaison already with the small ooo-security@i.a.o subscriber list that we have now. That will be necessarily selective, and it is not clear what agreement needs to be reached before any external entities are engaged. We'll have to figure that out.
>
I think it will be good to tease out the differences between getting
help to analyze and resolve an issue versus what additional parties
should receive pre-notification. It sounds like OpenOffice conflated
both of these things into one list, with one membership. But they are
really two different things.
> We can also create the arrangements that Rob Weir proposes for having an alert mechanism and having a PPMC-maintained (private) list of contacts both for alerts and for experts.
>
> -----Original Message-----
> From: Danese Cooper [mailto:danese@gmail.com]
> Sent: Friday, July 29, 2011 09:55
> To: ooo-dev@incubator.apache.org
> Subject: Re: Population of ooo-security
>
> [ ... ]
>
> Only people recognized as committers can "own" the
> problem of security for this codebase. It is this way to protect both the
> ASF and the codebase.
>
> [ ... ]
>
> I'd propose that we (as a project) decide how best to work with LibreOffice
> to identify people who would like to serve as liasons for security. If
> indeed nobody wants to sign an iCLA, then we'll gladly subscribe LO to
> receive downstream notifications rather than early disclosure of any issues
> that arise. That is suboptimal, but until more diplomacy and trust work is
> done it may be the best we can do.
>
> [ ... ]
>
>