openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Population of ooo-security
Date Mon, 01 Aug 2011 23:57:45 GMT
On Mon, Aug 1, 2011 at 7:40 PM, Simon Phipps <> wrote:
> On Mon, Aug 1, 2011 at 12:15 PM, Rob Weir <> wrote:
>> On Mon, Aug 1, 2011 at 2:59 PM, Simon Phipps <> wrote:
>> > One observation about this discussion:  Until there is actually a way to
>> > make a binary deliverable from AOOo, any inbound security alerts would
>> > probably need to be referred to LibreOffice anyway. While the Apache-only
>> > list that's being speculatively designed here might be applicable once
>> the
>> > project is creating deliverables, but until then a pragmatic approach of
>> a
>> > temporary and inclusive list seems hugely preferable.
>> >
>> It is possible that some reports would be shared.  It is also possible
>> that some would not.  For example, a report might be a duplicate.  It
>> might be wrong.  It might be spam.  It might require a followup to
>> clarify. It might involve code that doesn't exist in LibreOffice.  The
>> discretion with the PPMC and their delegates.
>> The Apache Security page makes it clear to reporters that they are
>> reporting a vulnerability to Apache where it will be discussed
>> privately by the project team.  They are not told that their report,
>> with their name, company affiliation and other contact info, will be
>> shared more broadly than that.  So even in instances where we did
>> share information, such as with a 3rd party expert or via a
>> pre-notification, that initial report would only be shared in
>> anonymized form.
> I don't think I understand how your response, which refers to the
> functioning of a future list once AOOo has an operational development
> process, applies to my comment, which refers to the situation now when any
> incoming security issue would probably be triaged by fixing & recommending
> use of LibreOffice.

The existence and staffing of ooo-security is part of AOOo
development.  It is not something outside of a development process.
Not every report we receive necessarily results in the production of
an urgent patch.  But if such a situation occurred, then we'd discuss
on ooo-security and develop a recommendation.  But regardless of the
disposition of the report, I think it is important to respect the
privacy of the reporter.

> S.

View raw message