You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Rob Weir (Created) (JIRA)" <ji...@apache.org> on 2011/12/14 00:25:30 UTC
[jira] [Created] (INFRA-4216) Need private SVN space for OpenOffice
security team
Need private SVN space for OpenOffice security team
---------------------------------------------------
Key: INFRA-4216
URL: https://issues.apache.org/jira/browse/INFRA-4216
Project: Infrastructure
Issue Type: Task
Security Level: public (Regular issues)
Components: Subversion
Reporter: Rob Weir
We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "Rob Weir (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rob Weir reopened INFRA-4216:
-----------------------------
Apache Security Team has already told us that our PPMC is too large to safely allow it access to security-related material. So we really need this finer level of granularity.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (INFRA-4216) Need private SVN space for OpenOffice
security team
Posted by "#asfinfra IRC Bot (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
#asfinfra IRC Bot closed INFRA-4216.
------------------------------------
Resolution: Won't Fix
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "#asfinfra IRC Bot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13168887#comment-13168887 ]
#asfinfra IRC Bot commented on INFRA-4216:
------------------------------------------
<joes4> OTOH we could create a security section of the private ppmc tree, remove access for non-ppmc/ipmc people, and send commit notices to the security list. Is that acceptable?
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "#asfinfra IRC Bot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13178475#comment-13178475 ]
#asfinfra IRC Bot commented on INFRA-4216:
------------------------------------------
<danielsh> so create /pmc/incubator/ooo-security tree with perms @security=rw @incubator-pmc=rw @member=rw @ooo-security=rw *= ?
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "William A. Rowe, Jr. (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173993#comment-13173993 ]
William A. Rowe, Jr. commented on INFRA-4216:
---------------------------------------------
It is my opinion that the IPMC will essentially ratify the recommendations of the PPMC with respect to a security response team.
The httpd response team, in my experience, consists of those whom are willing to respond to at least 1/5 incidents and make a substantial contribution to the solution or reviewing the solution to a security report. An arbitrary list of 80+ individuals isn't advisable for a security advisory/notice/action item. Divide this by 4, for those who are willing to react promptly, and you have a manageable and 2^2 more secure list.
The policy *must* be this; that all interested PPMC members *may* subscribe without further consensus or consent (once graduated, this translates to any PMC member), and that PMC members which do NOT contribute are encouraged to unsubscribe to avert inadvertent disclosures.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "Mark Thomas (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173969#comment-13173969 ]
Mark Thomas commented on INFRA-4216:
------------------------------------
<hat role="security">
Yes it is. The security team is responsible for ensuring that projects are handling security reports appropriately and where they are not, highlighting that to the board. The security team's concern is not the size of the OOo PPMC but the low barrier to entry that was used to establish the membership: add your name and e-mail address to a wiki page.
The ASF receives security reports in confidence and there is an expectation that we keep those reports private. Normally, if we get this wrong only the project concerned is damaged. However, OOo is different. There is a ecosystem of related projects where a security vulnerability in one is likely to affect all. Therefore, we need to be particularly careful to keep any vulnerability information confidential as it wouldn't just be ourselves we were harming if we leaked the information, but all the projects in the ecosystem.
Access to OOo security vulnerabilities needs to be limited to trusted individuals. Adding your name and e-mail to a wiki page is not sufficient to establish the trust necessary to have access to the OOo security vulnerability reports.
If the current OOo security team is confident that they have the necessary level of trust in every single PPMC member then there is no problem in using the private PPMC repo. I would expect this point to be reached at some point as members of the PPMC demonstrate their trustworthiness or, in the odd case, inactive folks are removed from the PPMC.
</hat>
<hat role="infra">
Why is a separate svn tree required. Many projects (for example httpd and Tomcat) manage security vulnerabilities without requiring a separate svn tree.
A question for joes4. If separate authorisation is required, I assume we could limit a sub-tree of the OOo PPMC private repo to the OOo security team. Whether we would want the admin overhead of doing so is a separate issue.
</hat>
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "#asfinfra IRC Bot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13168863#comment-13168863 ]
#asfinfra IRC Bot commented on INFRA-4216:
------------------------------------------
<joes4> No- ooo already has a private pmc svn area- there should be no further granularity other than that.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "Rob Weir (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13174112#comment-13174112 ]
Rob Weir commented on INFRA-4216:
---------------------------------
Mark asked "Why is a separate svn tree required. Many projects (for example httpd and Tomcat) manage security vulnerabilities without requiring a separate svn tree."
Since I'm not a member of those security teams, so I don't know how they handle things. Perhaps a unique circumstance of AOO is that as we continue to receive and process reports against the legacy pre-Apache release. We need some way to track those and apply fixes to the first Apache release, currently estimated for Q1 2012. Since ooo-security is a private list with no archives viewable to our participants, since we're not Apache members, this gives list members no access to persistent storage of any kind to record status of issues, reports and patches received, etc.
With a much narrower period of time between releases, this would be far less of an issue. But we're starting from a point where the first release of AOO will be a year after the last release of the legacy OpenOffice. This gives us too many reports, too many patches, too many reporters to follow up with, etc. to trust entirely to mere memory.
Does that make sense?
SVN seems like the most natural solution. But a private ftp directory or a private wiki would work just as well.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "Joe Schaefer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173974#comment-13173974 ]
Joe Schaefer commented on INFRA-4216:
-------------------------------------
PMC members are responsible for overseeing every aspect of their projects, including security. That is and will remain ASF policy, this discussion notwithstanding.
The PMC here is actually the IPMC, not the PPMC which has no formal standing. I have no problem setting up an ACL limiting access to selected PPMC members,
and the Apache Security Team, however the IPMC must be able to review and participate in the activity in those areas.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (INFRA-4216) Need private SVN space for OpenOffice
security team
Posted by "#asfinfra IRC Bot (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
#asfinfra IRC Bot closed INFRA-4216.
------------------------------------
Resolution: Fixed
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "#asfinfra IRC Bot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13179287#comment-13179287 ]
#asfinfra IRC Bot commented on INFRA-4216:
------------------------------------------
<danielsh> Created https://svn.apache.org/repos/private/pmc/incubator/ooo-security, mentors need to grant access to podling committers to it
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-4216) Need private SVN space for
OpenOffice security team
Posted by "#asfinfra IRC Bot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-4216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173765#comment-13173765 ]
#asfinfra IRC Bot commented on INFRA-4216:
------------------------------------------
<joes4> That's not the security team's call to make. Your original request would be unprecedented were we to follow thru on it.
> Need private SVN space for OpenOffice security team
> ---------------------------------------------------
>
> Key: INFRA-4216
> URL: https://issues.apache.org/jira/browse/INFRA-4216
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Subversion
> Reporter: Rob Weir
>
> We need an SVN subtree that the OpenOffice security team can use in its work. The tree should be private, writable only for those on the ooo-security@i.a.o mailing list and the Apache Security team and invisible (not just read-only) to everyone else. Commit notifications should go to only ooo-security.i.a.o.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira