OpenJDK Governing Board Minutes: 2014/1/30

The OpenJDK Governing Board met via conference call on Thursday, 30 January 2014 at 16:00 UTC with the following agenda:

  1. Proposal: OpenJDK Vulnerability Group
  2. Any other business

Five Board members were present: Georges Saab, John Duimovich, Andrew Haley, Doug Lea, and Mark Reinhold.

1. Proposal: OpenJDK Vulnerability Group

Mark presented a brief slide deck to describe his proposal for the OpenJDK Vulnerability Group, a secure private forum open to trusted members of the OpenJDK Community. The proposed Group would receive and address reports of vulnerabilities in OpenJDK code bases. The Group would review and evaluate submissions, collaborate on fixes, and coordinate the release of fixes. Mark described the membership criteria, how the Group would make decisions, the communication policy and channels, information flow, and typical work flow.

When Mark concluded, he said that many of the details were inspired by examining similar groups such as WebKit, Apache, and Eclipse. He indicated that the proposal had already received high-level approval from Oracle executives and he wished to receive feedback from the Governing Board before taking further action. The next obvious step was to present this (or similar) slide deck at FOSDEM 2014. After that he wanted to post the longer, more detailed proposal to the general discussion list to solicit feedback.

Doug wanted to understand the difference between handling a known vulnerability and preventing a vulnerability during design. John thought that developers of new code should be very open about how they're designing for security and should do so in the appropriate design forum. Once the code has been shipped, that's when this Group would be need to be consulted to resolve issues in that code. Mark agreed that he did not expect discussion of security issues in new code to be confined to this Group.

Andrew wanted to verify how sharing of changesets would occur prior to releasing a fix. Mark responded that the only mechanism in the near term would be to send encrypted messages to all members of the Group. Andrew believed that it would be good enough if there was agreement that all of the changesets would be shared.

John was pleased with the proposal saying that it presented a unified Java Community. He declared that IBM wanted to join the Group. Andrew agreed stating that the proposal was exactly what he was hoping for and that Red Hat was pleased.

Doug, John, and Andrew all advised Mark to provide the underlying criteria for why the Group must be led by an Oracle employee. There was a brief discussion regarding the size and membership of the Group. Doug thought that somebody in research and active in an open source community should be a member of the Group. John recommended that there be a clear definition of what a vulnerability is, perhaps referencing past examples. He also asked how submissions of copyrighted materials would be handled. Mark answered that the full proposal will require that all submissions comply with the OpenJDK Web Site Terms of Use to be accepted.

Mark reminded the Board that the next step would be to present a version of the slide deck at FOSDEM. After that, he'd send a the written proposal to the GB for comments before sending it to the general discussion list.

At this point the Board adjourned.