On Sun, Apr 21, 2013 at 9:25 AM, janI <j...@apache.org> wrote: > On Apr 21, 2013 2:15 PM, "Rob Weir" <robw...@apache.org> wrote: > > > > On Sun, Apr 21, 2013 at 4:58 AM, Andrea Pescetti <pesce...@apache.org > >wrote: > > > > > As you can see in > > > http://sourceforge.net/**projects/libwpd/files/libwpd/**libwpd-0.9.7/< > http://sourceforge.net/projects/libwpd/files/libwpd/libwpd-0.9.7/> > > > http://sourceforge.net/**projects/libwps/files/libwps/**libwps-0.2.8/< > http://sourceforge.net/projects/libwps/files/libwps/libwps-0.2.8/> > > > http://sourceforge.net/**projects/libwpg/files/libwpg/**libwpg-0.2.2/< > http://sourceforge.net/projects/libwpg/files/libwpg/libwpg-0.2.2/> > > > > > > the three libraries that OpenOffice was using to import WordPerfect, MS > > > Works and WordPerfect Graphics files have now been dual-licensed; one > of > > > the licenses is MPLv2. > > > > > > Does this mean that we can include them back in OpenOffice if we wish > to > > > do so? If I recalled correctly, they were removed as of 3.4.0 due to > > > incompatible licensing. Any reasons for/against including them now? > > > > > > > > If we do we'll need to be careful that we don't reintroduce this issue: > > > > http://www.openoffice.org/security/cves/CVE-2012-2149.html > > > > Security team has the details. > > I have heard several times, that we have a security team, but apart from a > couple of very old mail threads they seem to be invisible. As I deal with > security issues at least once a week it would be nice to have the members > on a public list. I apologize in advance if the list exist and I just > missed it. > >
Due to the nature of their work the security team works on a private list. There is an ASF security team, info here: http://www.apache.org/security/ They then coordinate with project-specific security teams. Some projects just use their private PMC lists for this work. Some (like AOO) have a dedicated private list, self-selected from the PMC. Our page is here: http://openoffice.apache.org/security.html Note: these security lists are generally for reviewing and resolving reported vulnerabilities in our software and preparing CVE reports. Typically a security researcher will find a vulnerability, report to it the vendor, and give the vendor an opportunity to fix the problem before they go public. This is a practice called "responsible disclosure". On the AOO security list we don't discuss issues related to our servers. If we did get such a report we'd go directly to infrastructure-private@. Hopefully that clears up what the security team does. Maybe for what you're looking for a public ad...@openoffice.apache.org list would be good? Regards, -Rob It would also be nice to know the charter of the team, does it include > download, wiki etc. > > rgds > jan I > > > > -Rob > > > > > > > > > Regards, > > > Andrea. > > > > > > > ------------------------------**------------------------------**--------- > > > To unsubscribe, e-mail: dev-unsubscribe@openoffice.**apache.org< > dev-unsubscr...@openoffice.apache.org> > > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > > > > >
