incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 16:45:52 GMT
On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
<> wrote:
> I don't think the problem is with the size of the ooo-security list membership.  I think
it is in the assumption that the [P]PMC has somehow delegated the ability to make a release
of any kind to the ooo-security team.  I don't mean slip-streaming fixes and working off
the public SVN until that happens.  I mean developing and deploying all the rest of what
accompanies an advisory along with provision of a mitigation.
> The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit
that accompanied it.  I assume that ooo-security acquitted itself well in that regard as
well as with the coordination with other parties, including ones external to Apache, having
common concerns.  The breakdown was in all of the non-security considerations and assumptions,
even though they needed to be developed in confidence.  The PPMC would have provided a proper
arena for working that out.
> The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination
and form of patch releases/updates.  Those with valuable perspective on the deployment strategy
and its support might have no sense of the technical work that ooo-security members undertake.

Dennis, if the PPMC wishes to make any changes to the patch, or the
documentation, or the announcement, or the website related this patch,
they have had that ability for nearly a month now.  But no one,
including yourself, has offered one change.  A lot of criticism,
certainly, but no patches. The actions (or inaction) of the PPMC since
this patch was announced proves the point.  It was good enough, and no
one -- including you -- has ventured to raise a finger to improve any
of the patch materials.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message