Comments in-line. > -----Original Message----- > From: Peter Kovacs [mailto:legi...@gmail.com] > Sent: Tuesday, December 20, 2016 01:41 > To: dev <dev@openoffice.apache.org>; gan.kokleong.adr...@stee.stengg.com > Subject: Re: SSDLC Compliance - OpenOffice > > As usual I forgot to add people probably not subscribed to the list. > > Peter Kovacs <legi...@gmail.com> schrieb am Di., 20. Dez. 2016, 10:39: > > > Hi, > > > > Can you elaborate on this? > > Do you simply want to know or do you need this as an official > statement? > > I think you are Query the wrong Project if you need an official > response. > > Open Office 3.3.1 and older were maintained by Oracle. I am not sure > if > > Apache Foundation has the right to speak for this time. As libre > office we > > are a successor to Oracle OpenOffice Project. > > > > This is of course my personal opinion. I am not sure if Apache > Foundation > > has the same opinion like me on this. > > > > All the best > > Peter > > > > GAN Kok Leong, Adrian <gan.kokleong.adr...@stee.stengg.com> schrieb am > > Di., 20. Dez. 2016, 08:50: > > > > Hi, > > > > I would like to find out whether OpenOffice version 3.3 and 3.3.1 is > > developed and comply with Secure Software Development Life Cycle? [orcmid]
I am confident that there were no Capability Maturity Model or related assurance processes applied when OpenOffice.org was developed under the umbrella of Sun Microsystems and then Oracle Corporation. At Apache OpenOffice, there is no such process, including for the Secure Software Development Life Cycle, if you are referring to <https://www.us-cert.gov/bsi/articles/knowledge/sdlc-process/secure-software-development-life-cycle-processes>. There is no means for assessment of Trusted CMM for Apache OpenOffice, since there is no process management in the sense involved in the Capability Maturity Model. Lacking process management, there is also no accountability concerning processes in the sense considered in the CMM. Those with a sense of humor would consider this to be somewhere less than CMM Level 1. It is not clear to me how open-source governance, providing software free to the public without warranty and entirely driven by a meritocracy of unpaid volunteers who choose what and how they work on something, would accomplish this. In any case, it is not a consideration at Apache OpenOffice. I cannot recall ever seeing anything recognizable as the activities identified at <https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet>. I cannot speak for LibreOffice. There might be more management structure than for Apache projects. I believe there is a core engineering team. Whether there is much attention to SSDLC processes and the necessary accountability and concrete assessment is something that needs to be discussed with the LibreOffice team. Speculations here on dev@ oo.a.o are useless. Most of the claims I see about dependability or lack-thereof are anecdotal and based on sparse evidence. Although the Microsoft Security Development Lifecycle (SDL) is a security assurance process that might be adaptable, I am not aware of any effort to investigate that for open-source projects such as OpenOffice and my suspicion is that there is no such interest (more likely, that there be hostility) despite the good reputation of that process, <https://www.microsoft.com/en-us/sdl/default.aspx>. I have never seen threat modeling performed at Apache OpenOffice, for example. Thanks for asking. It is a great question. - Dennis > > > > Regards > > Adrian Gan > > > > > > [This e-mail is confidential and may be privileged. If you are not the > > intended recipient, please kindly notify us immediately and delete the > > message > > from your system; please do not copy or use it for any purpose, nor > > disclose > > its contents to any other person. Thank you.] > > ---ST Electronics Group--- > > > > -- > > > > Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre > Antwort > > wird in der Google Cloud Gespeichert und durch Google Algorythmen > zwecks > > werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre > > Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch > > kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre > > Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu > Google > > konditionen in der Googlecloud gespeichert wird. Sollten sie dies > nicht > > wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu > > verhandeln. > > > -- > > Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre > Antwort > wird in der Google Cloud Gespeichert und durch Google Algorythmen zwecks > werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre > Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch > kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre > Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu > Google > konditionen in der Googlecloud gespeichert wird. Sollten sie dies nicht > wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu > verhandeln. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
