On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I don't think the problem is with the size of the ooo-security list > membership. I think it is in the assumption that the [P]PMC has somehow > delegated the ability to make a release of any kind to the ooo-security team. > I don't mean slip-streaming fixes and working off the public SVN until that > happens. I mean developing and deploying all the rest of what accompanies an > advisory along with provision of a mitigation. > > The breakdowns were not in analyzing the reported vulnerability and the > proof-of-exploit that accompanied it. I assume that ooo-security acquitted > itself well in that regard as well as with the coordination with other > parties, including ones external to Apache, having common concerns. The > breakdown was in all of the non-security considerations and assumptions, even > though they needed to be developed in confidence. The PPMC would have > provided a proper arena for working that out. > > The PPMC has much to offer concerning the announcement of CVEs and the > appropriate coordination and form of patch releases/updates. Those with > valuable perspective on the deployment strategy and its support might have no > sense of the technical work that ooo-security members undertake. >
Dennis, if the PPMC wishes to make any changes to the patch, or the documentation, or the announcement, or the website related this patch, they have had that ability for nearly a month now. But no one, including yourself, has offered one change. A lot of criticism, certainly, but no patches. The actions (or inaction) of the PPMC since this patch was announced proves the point. It was good enough, and no one -- including you -- has ventured to raise a finger to improve any of the patch materials. -Rob --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
