incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 21:20:33 GMT
On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher <> wrote:
> On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote:
>> Yes, this was already raised on the PPMC (on March 22) as you know.  It seems to
me that the PPMC is not concerned.
>> It is interesting that it is thought, here, that the remedy is to add more ooo-security
subscribers from the PPMC.  That had not come up before.
> Well I did raise it on ooo-private. My suggestion was to add someone who understood Linux
distributions to ooo-security ASAP. I got blowback. This  was unfortunate. Since then we've
had discussions about culture, politeness and apologies. There was some discussion about OpenOffice
and Linux distro on ooo-dev, but more in context of the AOO release plans.
> My frustration about not being informed was that no one gave even the slightest notice
OFFLIST that there was a reason that certain people were asking the project questions and
that things were not as I thought and I should move on and let the world revolve. This is
particularly true since I responding with what I had every reason to believe was the project
> Emotions pass. What's the root cause? It's a communication problem, why was communication
> If there are individuals on a PPMC that the podling security team and Mentors feel are
not trustworthy enough that it is decided to forgo the minimal courtesy of keeping the PPMC
informed to manage the process as Dennis described then perhaps the problem is with the PPMC
membership itself.
> Normally a podling will set the PMC as part the graduation resolution. Perhaps the AOO
PPMC membership needs to be revised sooner. Any advice?

So step back, to when the podling received notice of our first
security report.  The Apache Security Team would not give it to the
PPMC, not even on ooo-private.  The issue was not the size of the PPMC
per se, or even its status as a podling.  The issue was the way in
which the "initial committers" were selected, that anyone could just
walk in "off the street" in essence, put their name down and be an
instant PPMC number.  Needless to say, a group of nearly 100 initial
committers formed that way is not the best way to have a secure

So the request, at that time, was to make a smaller list ---
ooo-security -- and to share such sensitive information only on that
list.  Of course, Mentors and other Apache Members can view that list,
as can Apache Security Team members.

I have no doubts that as a TLP the AOO PMC will shed 30%+ of the
current membership.  That would take care of the names of people who
signed up, returned the ICLA but then have not been heard of since.  I
think we can reach the point where matters of some sensitivity can be
shared more broadly on ooo-private.

But you also need to understand that this is not only about trust.  It
is about security.  If if I personally trusted you like a brother, and
trusted every PPMC member like a brother (or sister) it would not make
sense to share all security information with a list of 90 trusted
siblings..  Why?  Because of human error.  Because of stolen iPhones.
Because of accidentally forwarded emails.  Because  of accidentally
typed recipients.    Because of 4am's and because shit happens.  It
will never make sense to share such sensitive information more broadly
than needed to deal with the actual security issue.  This is not about
trust.  It is about compartmentalization,  In other words, the
security list is about security.


> Regards,
> Dave
>> - Dennis
>> -----Original Message-----
>> From: Ross Gardler []
>> Sent: Thursday, April 12, 2012 12:41
>> To:;
>> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update
of "April2012" by robweir)
>> On 12 April 2012 17:32, Dennis E. Hamilton <> wrote:
>>> I don't think the problem is with the size of the ooo-security list membership.
 I think it is in the assumption that the [P]PMC has somehow delegated the ability to make
a release of any kind to the ooo-security team.  I don't mean slip-streaming fixes and working
off the public SVN until that happens.  I mean developing and deploying all the rest of what
accompanies an advisory along with provision of a mitigation.
>> Whether this is the case or not should be discussed on the ooo-dev
>> lists rather than the IPMC general list. This is not an IPMC issue.
>> All IPMC members are free to join that list or read its archives if
>> they so desire.
>> Ross
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message