Hi - > On Dec 22, 2020, at 7:37 AM, Jörg Schmidt <[email protected]> wrote: > >> -----Original Message----- >> From: Marcus [mailto:[email protected]] >> Sent: Tuesday, December 22, 2020 12:37 PM >> To: [email protected] >> Subject: Re: Security vulnerabilities in AOO? > >>> To do this, I need to acquire factual knowledge, and also >> understand which criticism is based on facts and which is >> (possibly) just based on anti-AOO marketing. >> >> I don't understand why you try to answer these things. It's >> absolutely >> OK when you go the easy way and just point them to the >> security@ mailing >> list. > > 1. > Especially because I'm paid professionally as an IT consultant to answer > questions like this for my customers. > Do you think customers who hear from others that AOO is supposedly insecure > because it doesn't fix security problems quickly, would be pleased if I > referred them to security@?
The purpose of [email protected] <mailto:[email protected]> is for security issues to be reported so that AOO PMC members are aware of the issue and can discuss the bug and fix with the reporter. The discussion includes the timing of disclosure. AOO shares a security list with the TDF - [email protected] <mailto:[email protected]> - we see any discussions there on security@openoffice. LOs security issues are not always ours. The best way to increase the frequency of any security fixes is to increase the frequency of minor releases. > > 2. > What is the point of recommending that third parties refer to security@ when > it says on https://www.apache.org/security/committers.html: > > "They are _not intended to be used as a third-party notification system_ and > non-committers should not be subscribed to the lists." This means that security@apache mailing lists are not for announcing CVEs. Users are notified of security fixes via announce@apache mailing lists. These notifications happen with or just after a release. The security@ mailing lists are for detailed predisclosure discussion of reported security issues. These must be private. The PMC will privately determine if someone should be allowed to subscribe to [email protected] <mailto:[email protected]> and any ASF member can look to see what’s going on. Should a security issue already be publicly disclosed, you can bring it up here on dev@. The developers can decide how much to keep more secret about the fix. It will depend on the exploit. For example, an exploit may actually expose a larger problem with additional not publicly known exploits. I hope this helps. Regards, Dave > > > greetings, > Jörg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
