On Thu, Apr 12, 2012 at 5:08 PM, Dave Fisher <dave2w...@comcast.net> wrote: > > On Apr 12, 2012, at 1:00 PM, Dennis E. Hamilton wrote: > >> Yes, this was already raised on the PPMC (on March 22) as you know. It >> seems to me that the PPMC is not concerned. >> >> It is interesting that it is thought, here, that the remedy is to add more >> ooo-security subscribers from the PPMC. That had not come up before. > > Well I did raise it on ooo-private. My suggestion was to add someone who > understood Linux distributions to ooo-security ASAP. I got blowback. This > was unfortunate. Since then we've had discussions about culture, politeness > and apologies. There was some discussion about OpenOffice and Linux distro on > ooo-dev, but more in context of the AOO release plans. > > My frustration about not being informed was that no one gave even the > slightest notice OFFLIST that there was a reason that certain people were > asking the project questions and that things were not as I thought and I > should move on and let the world revolve. This is particularly true since I > responding with what I had every reason to believe was the project policy. > > Emotions pass. What's the root cause? It's a communication problem, why was > communication blocked? > > If there are individuals on a PPMC that the podling security team and Mentors > feel are not trustworthy enough that it is decided to forgo the minimal > courtesy of keeping the PPMC informed to manage the process as Dennis > described then perhaps the problem is with the PPMC membership itself. > > Normally a podling will set the PMC as part the graduation resolution. > Perhaps the AOO PPMC membership needs to be revised sooner. Any advice? >
So step back, to when the podling received notice of our first security report. The Apache Security Team would not give it to the PPMC, not even on ooo-private. The issue was not the size of the PPMC per se, or even its status as a podling. The issue was the way in which the "initial committers" were selected, that anyone could just walk in "off the street" in essence, put their name down and be an instant PPMC number. Needless to say, a group of nearly 100 initial committers formed that way is not the best way to have a secure discussion. So the request, at that time, was to make a smaller list --- ooo-security -- and to share such sensitive information only on that list. Of course, Mentors and other Apache Members can view that list, as can Apache Security Team members. I have no doubts that as a TLP the AOO PMC will shed 30%+ of the current membership. That would take care of the names of people who signed up, returned the ICLA but then have not been heard of since. I think we can reach the point where matters of some sensitivity can be shared more broadly on ooo-private. But you also need to understand that this is not only about trust. It is about security. If if I personally trusted you like a brother, and trusted every PPMC member like a brother (or sister) it would not make sense to share all security information with a list of 90 trusted siblings.. Why? Because of human error. Because of stolen iPhones. Because of accidentally forwarded emails. Because of accidentally typed recipients. Because of 4am's and because shit happens. It will never make sense to share such sensitive information more broadly than needed to deal with the actual security issue. This is not about trust. It is about compartmentalization, In other words, the security list is about security. -Rob > Regards, > Dave > > >> >> - Dennis >> >> -----Original Message----- >> From: Ross Gardler [mailto:rgard...@opendirective.com] >> Sent: Thursday, April 12, 2012 12:41 >> To: general@incubator.apache.org; dennis.hamil...@acm.org >> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] >> Update of "April2012" by robweir) >> >> On 12 April 2012 17:32, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: >>> I don't think the problem is with the size of the ooo-security list >>> membership. I think it is in the assumption that the [P]PMC has somehow >>> delegated the ability to make a release of any kind to the ooo-security >>> team. I don't mean slip-streaming fixes and working off the public SVN >>> until that happens. I mean developing and deploying all the rest of what >>> accompanies an advisory along with provision of a mitigation. >>> >> >> Whether this is the case or not should be discussed on the ooo-dev >> lists rather than the IPMC general list. This is not an IPMC issue. >> All IPMC members are free to join that list or read its archives if >> they so desire. >> >> Ross >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
