openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Phipps <>
Subject Re: Neutral / shared security list ...
Date Wed, 19 Oct 2011 23:18:48 GMT
On Wed, Oct 19, 2011 at 10:56 PM, Dennis E. Hamilton <>wrote:

If securityteam@ OO.o is preserved, I believe the oversight of security@
> and the care of Apache infrastructure is a bonus.

I disagree. Having an arbitrary steward - regardless of their excellence -
is not the way to sustain (or indeed rebuild) trust. The correct oversight
is the list-members themselves.


Thus I'd propose (in outline):

*  That be used as the shared meta-community
security contact list for projects deriving their source code from the
former Sun-led project. The list would be used for any valid
meta-community security matter including especially announcement

* That the list should be private to list members (and with the consent of
the list, to their project's private security list), with mutually agreed
confidentiality, and populated only with people known to the majority of the
list members as bona-fides security-related developers.

*  That the list be populated only with the consent of the existing list
members (suggested process: a list member proposes a new list member with a
brief explanation why they are a good-faith and experienced security
developer in the meta-community. Code-modification-style voting takes place.
A moderator adds the new member. In the event of mishap, list members may be
removed using the same process).

*  Agreeing who the moderators should be by list-member consensus

I'm sure this needs fleshing out by someone more process oriented, but I
suggest this outline represents a workable compromise.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message