Re: [tdf-discuss] Process for resolving security issues

Michael Meeks <michael.meeks -AT- collabora.com>
Wed, 05 Mar 2014 13:13:22 +0000

Hi Mike,

On Wed, 2014-03-05 at 11:44 +0000, Mike Hall wrote:

I'm not sure whether this is the right list, but it will do for a start.

I would like to understand what process is in place for handling 
security issues.


        The issue should be reported to security@freedesktop.org this should be
an alias that is easy to find:

        http://lmgtfy.com/?q=libreoffice+security

        However it already has been: read on ...

 The question has arisen because of bug 51819, a serious 
security issue which was reported more than 18 months ago.


        You believe this is a serious security issue; it is not my view, nor is
a view I noticed inside the (private) security team list - where this
issue was pointed out many moons ago. Furthermore, there has been some
rather irritating arm-twisteing attempts on this specific bug, that
further dis-interests people in even doing a good-will fix for it.

 Who at a senior TDF level is responsible for managing security? 
What are the guidelines for the process? Are these documented?


        We don't have a ton of process; however in attempts to build process to
co-erce engineers who volunteer their time seems to have been the modus
operandi so far =)

FWIW, it would be normal in most applications for security issues to 
always be blockers for the next version and to get the highest 
development priority.


        Prioritizing volunteer developers' work is a role that lots of people
would like to volunteer for =) Lets pretend I'm appointed as
chief-prioritizer of other people's spare time - let me tell you: Mike
Hall to go fix the issue, send a patch & then we'll merge it for you
[ how is that working out ? ;-]

        Unfortunately it normally doesn't work that well. If you want the
ability to tell people what to do, the normal convention is to pay for
that. If you are a paying RedHat / SUSE / Ubuntu / Collabora / Lanedo /
Igalia etc. customer you get to report and have such issues fixed.
Furthermore the above are present in the security process - and work
hard to make a security and high quality product for their users.

        I'm sorry if that's a bit harsh - but the discourse here has already
plumbed the depths before you arrived =) (not your fault of course); and
there are plenty of things to be working on in LibreOffice.

        All the best,

                Michael.

-- 
 michael.meeks@collabora.com  <><, Pseudo Engineer, itinerant idiot


-- 
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

Context

[tdf-discuss] Process for resolving security issues · Mike Hall
- Re: [tdf-discuss] Process for resolving security issues · Michael Meeks

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.