Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <26f2884d-ddb7-498a-8a73-ad02e0242ed6@www.fastmail.com>
Date: Wed, 04 Aug 2021 09:59:02 -0600
From: "Jeremy Soller" <jeremy@...tem76.com>
To: oss-security@...ts.openwall.com
Subject: Re: Pop!_OS Membership to linux-distros list

On Tue, Jul 27, 2021, at 11:59 AM, Solar Designer wrote:
> Hi Jeremy,
> 
> On Tue, Jul 20, 2021 at 02:23:26PM -0600, Jeremy Soller wrote:
> > 3. Have a publicly verifiable track record, dating back at least 1 year and
> > continuing to present day, of fixing security issues (including some that had
> > been handled on (linux-)distros, meaning that membership would have been
> > relevant to you) and releasing the fixes within 10 days (and preferably much
> > less than that) of the issues being made public (if it takes you ages to fix an
> > issue, your users wouldn't substantially benefit from the additional time,
> > often around 7 days and sometimes up to 14 days, that list membership could
> > give you)
> > 
> > Over the history of Pop!_OS, dating back to 2017, we have maintained critical
> > packages and applied security patches soon after they are made public. Our
> > membership to this list would significantly help our users stay secure by
> > allowing us to prepare and test security updates ahead of public disclosure.
> > Please see our GitHub organization for more evidence: https://github.com/pop-os
> 
> I think it'd be most convincing for us all to see specific examples of
> you having "applied security patches soon after they are made public",
> with dates public vs. fixed in Pop!_OS.

How many examples should I provide? The last security patch I did was for
systemd. We have patches on systemd which means we cannot use the Ubuntu
version directly, so when, for example, CVE-2020-13529 and CVE-2021-33910
patches arrived in Ubuntu 21.04 on July 20, 2021, I applied them to our own
fork of systemd for Pop!_OS 21.04 that same day:

- https://launchpad.net/ubuntu/+source/systemd/247.3-3ubuntu3.4
- https://github.com/pop-os/systemd/commit/bf008f836b8740f6634d02526d1f38c98fa6699a

Pop!_OS needs to participate in linux-distros to ensure we have patches ready
for our forks of packages that do not come straight from Ubuntu. I listed the
relevant packages in my original email, many of which we have had to do
security updates for after some embargo lifts, with very little time to prepare.

> > 7. Be able and willing to contribute back (see above), preferably in specific
> > ways announced in advance (so that you're responsible for a specific area and
> > so that we know what to expect from which member), and demonstrate actual
> > contributions once you've been a member for a while
> > 
> > I am able and willing to contribute back.
> 
> Please choose a specific task (or several).
> 
> I suggest the statistics task:
> 
> "13. Keep track of per-report and per-issue handling and disclosure
> timelines (at least times of notification of the private list and of
> actual public disclosure), at regular intervals produce and share
> statistics (most notably, the average embargo duration) as well as the
> raw data (except on issues that are still under embargo) by posting to
> oss-security - primary: Amazon, backup: Gentoo"
> 
> As you can see, it is currently assigned to Amazon and Gentoo, but as
> far as I can see neither is actually handling it now, so I'd like to
> formally unassign it from them and have another distro handle it.

That would be fine, but I would be curious if there is some reason they have
not been fulfilling this task.
 
> > 9. Have someone already on the private list, or at least someone else who has
> > been active on oss-security for years but is not affiliated with your distro
> > nor your organization, vouch for at least one of the people requesting
> > membership on behalf of your distro (then that one vouched-for person will be
> > able to vouch for others on your team, in case you'd like multiple people
> > subscribed)
> > 
> > I do not know if I have contacts that are already on the linux-distros list.
> 
> It can also be "someone else who has been active on oss-security for
> years but is not affiliated".  Anyone?

I believe Tyler Hicks is willing to do this.

> Thanks,
> 
> Alexander
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.