Group Proposal, for discussion: Vulnerability Group

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Group Proposal, for discussion: Vulnerability Group

mark.reinhold
(This is not a call for votes; it is just a call for discussion.)

The Governing Board has been discussing the creation of a Vulnerability
Group for a while now.  This new Group is intended to be a secure,
private forum in which trusted members of the OpenJDK Community can
receive reports of vulnerabilities in OpenJDK code bases, review them,
collaborate on fixing them, and coordinate the release of such fixes.

This Group will be unusual in several respects, due to the sensitive
nature of its work: Membership will be more selective, there will be a
strict communication policy, and members (or their employers) will need
to sign a non-disclosure and license agreement.  These requirements do,
strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
discussed this, however, and I expect that the Board will approve the
creation of this Group with these exceptional requirements.

I've posted a detailed proposal for the Vulnerability Group here:

  http://cr.openjdk.java.net/~mr/ojvg/

That document contains a link to a draft of the non-disclosure and
license agreement.

The initial Lead of the Vulnerability Group will be Andrew Gross, who
leads Oracle's internal Java Vulnerability Team.

Comments?

- Mark
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Martijn Verburg
Hi Mark,

Totally applaud this idea!  I have some suggested wording changes that
might be easiest to suggest as a diff or some sort of track changes on the
original text.  Do you have a preferred mechanism for that type of feedback?


Cheers,
Martijn

On 24 August 2017 at 16:49, <[hidden email]> wrote:

> (This is not a call for votes; it is just a call for discussion.)
>
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
>
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
>
> I've posted a detailed proposal for the Vulnerability Group here:
>
>   http://cr.openjdk.java.net/~mr/ojvg/
>
> That document contains a link to a draft of the non-disclosure and
> license agreement.
>
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
>
> Comments?
>
> - Mark
>
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Mario Torre-5
In reply to this post by mark.reinhold
Hi Mark!

This is a fantastic news, thanks for moving this forward!

My only complain is that now I have one argument less for FOSDEM ;)

Cheers,
Mario


2017-08-24 17:49 GMT+02:00  <[hidden email]>:

> (This is not a call for votes; it is just a call for discussion.)
>
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
>
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
>
> I've posted a detailed proposal for the Vulnerability Group here:
>
>   http://cr.openjdk.java.net/~mr/ojvg/
>
> That document contains a link to a draft of the non-disclosure and
> license agreement.
>
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
>
> Comments?
>
> - Mark



--
pgp key: http://subkeys.pgp.net/ PGP Key ID: 80F240CF
Fingerprint: BA39 9666 94EC 8B73 27FA  FC7C 4086 63E3 80F2 40CF

Java Champion - Blog: http://neugens.wordpress.com - Twitter: @neugens
Proud GNU Classpath developer: http://www.classpath.org/
OpenJDK: http://openjdk.java.net/projects/caciocavallo/

Please, support open standards:
http://endsoftpatents.org/
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

mark.reinhold
In reply to this post by Martijn Verburg
2017/8/24 10:33:41 -0700, [hidden email]:
> Totally applaud this idea!  I have some suggested wording changes that
> might be easiest to suggest as a diff or some sort of track changes on the
> original text.  Do you have a preferred mechanism for that type of feedback?

If you'd like to propose a patch, I've posted the Markdown source here:

  http://cr.openjdk.java.net/~mr/ojvg/ojvg.md

- Mark
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Weijun Wang
In reply to this post by mark.reinhold
Suppose I am a "recognized" export in Area A, and Bob is one in Area B. We both have been handling security issues before. Does this mean we would be both included in the group and I can read all discussions in Area B?

Also, what is the proper way to temporarily include someone when working on a specific bug? For example, a test engineer, a 3rd-party expert (Ex: a bug only on Windows and we work with someone in Microsoft) or a customer. Since [hidden email] is not opened to them I assume I cannot CC one while writing to this list. Do I just talk to him/her one-to-one?

Thanks
Max

> On Aug 24, 2017, at 11:49 PM, [hidden email] wrote:
>
> (This is not a call for votes; it is just a call for discussion.)
>
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
>
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
>
> I've posted a detailed proposal for the Vulnerability Group here:
>
>  http://cr.openjdk.java.net/~mr/ojvg/
>
> That document contains a link to a draft of the non-disclosure and
> license agreement.
>
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
>
> Comments?
>
> - Mark

Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Martijn Verburg
In reply to this post by mark.reinhold
Hi Mark,

Apologies for the radio silence.  I was going to suggest edits de-emphasising
Oracle's leadership / central role in this group, not because Oracle
doesn't deserve to or have the right to lead, but more that I wanted to see
the principles of shared vulnerability ownership (across all the vendors)
front and center in the proposal.

After a careful re-read of the doc I've realised that my impression was
plain wrong and that the shared ownership is very much advocated.

Thanks again for proposing this important group, it's really good to see!



Cheers,
Martijn

On 24 August 2017 at 22:16, <[hidden email]> wrote:

> 2017/8/24 10:33:41 -0700, [hidden email]:
> > Totally applaud this idea!  I have some suggested wording changes that
> > might be easiest to suggest as a diff or some sort of track changes on
> the
> > original text.  Do you have a preferred mechanism for that type of
> feedback?
>
> If you'd like to propose a patch, I've posted the Markdown source here:
>
>   http://cr.openjdk.java.net/~mr/ojvg/ojvg.md
>
> - Mark
>
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Volker Simonis
Hi,

what's the current status of this group/proposal?

Can you please at least post a final version of the "OPENJDK
VULNERABILITY GROUP NONDISCLOSURE AND LICENSE AGREEMENT"? The one you
cite (http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-draft-2017-01-23.pdf)
is still marked as "Draft". I really want to get this agreement signed
by my employer but I'm currently stuck because it makes little sense
to sign a draft document.

Thank you and best regards,
Volker


On Tue, Sep 5, 2017 at 8:38 PM, Martijn Verburg
<[hidden email]> wrote:

> Hi Mark,
>
> Apologies for the radio silence.  I was going to suggest edits de-emphasising
> Oracle's leadership / central role in this group, not because Oracle
> doesn't deserve to or have the right to lead, but more that I wanted to see
> the principles of shared vulnerability ownership (across all the vendors)
> front and center in the proposal.
>
> After a careful re-read of the doc I've realised that my impression was
> plain wrong and that the shared ownership is very much advocated.
>
> Thanks again for proposing this important group, it's really good to see!
>
>
>
> Cheers,
> Martijn
>
> On 24 August 2017 at 22:16, <[hidden email]> wrote:
>
>> 2017/8/24 10:33:41 -0700, [hidden email]:
>> > Totally applaud this idea!  I have some suggested wording changes that
>> > might be easiest to suggest as a diff or some sort of track changes on
>> the
>> > original text.  Do you have a preferred mechanism for that type of
>> feedback?
>>
>> If you'd like to propose a patch, I've posted the Markdown source here:
>>
>>   http://cr.openjdk.java.net/~mr/ojvg/ojvg.md
>>
>> - Mark
>>
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

mark.reinhold
2017/10/12 0:38:54 -0700, [hidden email]:
> what's the current status of this group/proposal?

We've been a bit, um, busy with other activities over the past few
weeks.

The status is that most people are happy with the proposal at a high
level, but based on feedback we need to make a few minor revisions to
the NDA/license document.  That will necessarily involve lawyers, so
it will take a bit of time, and I know better than to try to predict
how much time.  I'll let you know more when I know more.

- Mark
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Srinivas Ramakrishna
Thanks Mark.

What's the process & timeframe for obtaining membership to the group
(presumably after the revised version of the document is out?).

-- ramki

On Thu, Oct 12, 2017 at 5:48 PM, <[hidden email]> wrote:

> 2017/10/12 0:38:54 -0700, [hidden email]:
> > what's the current status of this group/proposal?
>
> We've been a bit, um, busy with other activities over the past few
> weeks.
>
> The status is that most people are happy with the proposal at a high
> level, but based on feedback we need to make a few minor revisions to
> the NDA/license document.  That will necessarily involve lawyers, so
> it will take a bit of time, and I know better than to try to predict
> how much time.  I'll let you know more when I know more.
>
> - Mark
>
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Volker Simonis
Srinivas Ramakrishna <[hidden email]> schrieb am Fr. 13. Okt. 2017 um
20:03:

> Thanks Mark.
>
> What's the process & timeframe for obtaining membership to the group
> (presumably after the revised version of the document is out?).
>

Hi Ramki,

As far as I know this is still all TBD and to be decided and there's
nothing you or I could do except asking from time to time :)

Regards,
Volker


> -- ramki
>
> On Thu, Oct 12, 2017 at 5:48 PM, <[hidden email]> wrote:
>
>> 2017/10/12 0:38:54 -0700, [hidden email]:
>> > what's the current status of this group/proposal?
>>
>> We've been a bit, um, busy with other activities over the past few
>> weeks.
>>
>> The status is that most people are happy with the proposal at a high
>> level, but based on feedback we need to make a few minor revisions to
>> the NDA/license document.  That will necessarily involve lawyers, so
>> it will take a bit of time, and I know better than to try to predict
>> how much time.  I'll let you know more when I know more.
>>
>> - Mark
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

mark.reinhold
In reply to this post by Srinivas Ramakrishna
2017/10/13 11:03:20 -0700, [hidden email]:
> What's the process & timeframe for obtaining membership to the group
> (presumably after the revised version of the document is out?).

http://cr.openjdk.java.net/~mr/ojvg/#membership

- Mark
Reply | Threaded
Open this post in threaded view
|

Re: Group Proposal, for discussion: Vulnerability Group

Volker Simonis
Hi Mark,

while our legal team reviewed the Vulnerability Group proposal, they
complained that the term "rough consensus" is never defined, neither
in the Vulnerability Group proposal nor in the OpenJDK Bylaws.

Would it be possible to rephrase "rough consensus" as "lazy consensus"
which is defined in the Bylaws? I understand that in the Bylaws, "lazy
consensus" is defined with respect to voting and we don't want to have
a vote for every decision but on the other hand, the definition of
"lazy consensus" as "not having any veto" seems appropriate to me in
the context where "rough consensus" is currently being used in the
Vulnerability Group proposal.

If that's is not possible, the Vulnerability Group proposal should
define in more detail what it means by "rough consensus".

Thank you and best regards,
Volker


On Mon, Oct 16, 2017 at 4:10 PM,  <[hidden email]> wrote:
> 2017/10/13 11:03:20 -0700, [hidden email]:
>> What's the process & timeframe for obtaining membership to the group
>> (presumably after the revised version of the document is out?).
>
> http://cr.openjdk.java.net/~mr/ojvg/#membership
>
> - Mark