incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <>
Subject Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 21:58:47 GMT

On Apr 12, 2012, at 2:20 PM, Rob Weir wrote:

> On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher <> wrote:
>> On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:
>>> Yes, this was already raised on the PPMC (on March 22) as you know.  It seems
to me that the PPMC is not concerned.
>>> It is interesting that it is thought, here, that the remedy is to add more ooo-security
subscribers from the PPMC.  That had not come up before.
>> Well I did raise it on ooo-private. My suggestion was to add someone who understood
Linux distributions to ooo-security ASAP. I got blowback. This  was unfortunate. Since then
we've had discussions about culture, politeness and apologies. There was some discussion about
OpenOffice and Linux distro on ooo-dev, but more in context of the AOO release plans.
>> My frustration about not being informed was that no one gave even the slightest notice
OFFLIST that there was a reason that certain people were asking the project questions and
that things were not as I thought and I should move on and let the world revolve. This is
particularly true since I responding with what I had every reason to believe was the project
>> Emotions pass. What's the root cause? It's a communication problem, why was communication
>> If there are individuals on a PPMC that the podling security team and Mentors feel
are not trustworthy enough that it is decided to forgo the minimal courtesy of keeping the
PPMC informed to manage the process as Dennis described then perhaps the problem is with the
PPMC membership itself.
>> Normally a podling will set the PMC as part the graduation resolution. Perhaps the
AOO PPMC membership needs to be revised sooner. Any advice?
> So step back, to when the podling received notice of our first
> security report.  The Apache Security Team would not give it to the
> PPMC, not even on ooo-private.  The issue was not the size of the PPMC
> per se, or even its status as a podling.  The issue was the way in
> which the "initial committers" were selected, that anyone could just
> walk in "off the street" in essence, put their name down and be an
> instant PPMC number.  Needless to say, a group of nearly 100 initial
> committers formed that way is not the best way to have a secure
> discussion.
> So the request, at that time, was to make a smaller list ---
> ooo-security -- and to share such sensitive information only on that
> list.  Of course, Mentors and other Apache Members can view that list,
> as can Apache Security Team members.
> I have no doubts that as a TLP the AOO PMC will shed 30%+ of the
> current membership.  That would take care of the names of people who
> signed up, returned the ICLA but then have not been heard of since.  I
> think we can reach the point where matters of some sensitivity can be
> shared more broadly on ooo-private.
> But you also need to understand that this is not only about trust.  It
> is about security.  If if I personally trusted you like a brother, and
> trusted every PPMC member like a brother (or sister) it would not make
> sense to share all security information with a list of 90 trusted
> siblings..  Why?  Because of human error.  Because of stolen iPhones.
> Because of accidentally forwarded emails.  Because  of accidentally
> typed recipients.    Because of 4am's and because shit happens.  It
> will never make sense to share such sensitive information more broadly
> than needed to deal with the actual security issue.  This is not about
> trust.  It is about compartmentalization,  In other words, the
> security list is about security.

I do understand that security is special. You miss my point.  I'm not talking about the actual
security issue detail. Just that a security announcement, release, whatever is about to happen.
As a PPMC member I should be able to ask questions in advance about how it is being handled.
If nothing to help make sure that there is some form of oversight.

I am also talking about more subtly informing someone without disclosing any real information.
As you said security@ did inform us that there was an issue, but not the details.


> -Rob
>> Regards,
>> Dave
>>> - Dennis
>>> -----Original Message-----
>>> From: Ross Gardler []
>>> Sent: Thursday, April 12, 2012 12:41
>>> To:;
>>> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update
of "April2012" by robweir)
>>> On 12 April 2012 17:32, Dennis E. Hamilton <> wrote:
>>>> I don't think the problem is with the size of the ooo-security list membership.
 I think it is in the assumption that the [P]PMC has somehow delegated the ability to make
a release of any kind to the ooo-security team.  I don't mean slip-streaming fixes and working
off the public SVN until that happens.  I mean developing and deploying all the rest of what
accompanies an advisory along with provision of a mitigation.
>>> Whether this is the case or not should be discussed on the ooo-dev
>>> lists rather than the IPMC general list. This is not an IPMC issue.
>>> All IPMC members are free to join that list or read its archives if
>>> they so desire.
>>> Ross
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message