incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <>
Subject Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 09:30:39 GMT
Personally I believe that:

a) each podling is unique and has unique circumstances that only the
active mentors are aware of

b) that AOO has a real problem with a small number of very vocal
individuals outside the project seeking to undermine the AOO community
(this was evidenced in the run up to the coordinated patch release)

c) that we should not try to provide general guidelines for handling
extremely unusual circumstances that are unlikely to occur again

That being said I will again summarise what I believe the IPMC can
take away from this:

- all mentors should be included in the process, not a subset

- at least the IPMC chair should be involved, if not the whole IPMC

I don't think these should be *rules*, just things that *might* have
been handled differently in this specific instance.


On 12 April 2012 10:04, ant elder <> wrote:
> On Thu, Apr 12, 2012 at 9:36 AM, Ross Gardler
> <> wrote:
>> On 12 April 2012 09:27, Ross Gardler <> wrote:
>>> On 12 April 2012 08:59, ant elder <> wrote:
>>>> On Thu, Apr 12, 2012 at 8:37 AM, Ross Gardler
>>>> <> wrote:
>>>>> On 12 April 2012 07:48, Dave Fisher <> wrote:
>>>>> ...
>>>>>> Sorry, I can't remain mute, but I offended anyone, sorry, but this
was wrongly done. I don't know a better way....
>>>>> As one of the "inner circle" I am not offended. All your points are
>>>>> valid. Thank you for sharing them.
>>>>> This was the first and, in all likelihood the last time such an
>>>>> unusual circumstance will arise. There is no right or wrong way of
>>>>> handling these things.
>>>>> Had we included x then y would have felt excluded, this is what we are
>>>>> seeing here. However, the line must be drawn somewhere.
>>>> Surely at the ASF the line is at PMC membership. If only a subset of
>>>> the PPMC is trusted enough to be part of some inner circle then the
>>>> PPMC should be disbanded and reformed from just that inner circle.
>>> This is a podling with a very unusual history. it is not as simple as
>>> that. However, your general observation is a valid one. The time for
>>> addressing this is during incubation when it becomes possible to
>>> determine who is contributing positively to the running of the PPMC.
>> I should also point out that the perception that information was kept
>> to a limited group implies mistrust of PPMC members is *false*. The
>> PPMC have an appointed security team just as many top level PMCs do
>> that team is tasked with handling security issues and it did so in
>> this case.
>> As has been noted, this was *not* an ASF release, only one
>> *facilitated* by the ASF in the interests of supporting legacy users
>> of a project that has come to incubation. It is a very unusual
>> situation to which normal ASF policy does not apply. Handling it
>> outside normal ASF processes does not imply a problem with those
>> processes or the PPMC.
>> Ross
> Ross, I'm not trying to stick an oar in or anything and i don't know
> the details of what was done other than whats in this thread here, it
> just seems odd to me and it seems like there is some acknowledgement
> that this wasn't done perfectly so we the Incubator PMC should
> understand what happened. Sure there are other security teams but
> AFAIK they operate in conjunction with PMCs and keep PMCs in the loop
> that something is going on just withholding precise details of the
> vulnerability.
>   ...ant
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Ross Gardler (@rgardler)
Programme Leader (Open Development)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message