|
Message-ID: <48459F96.5010803@freethemallocs.com> Date: Tue, 03 Jun 2008 11:46:30 -0800 From: Jonathan Smith <smithj@...ethemallocs.com> To: oss-security@...ts.openwall.com Subject: Re: tool announcements -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Solar Designer wrote: | Also, I am not on full-disclosure - | should this prevent me from being a moderator for oss-security, or do I | have to subscribe to full-disclosure? I don't think so, no. I actually gave up on FD recently as well, given the ever-decreasing signal-to-noise ratio. I should clarify; I don't actually mind cross-posting, so long as the content is appropriate on all the lists posted to. I just don't, personally, believe announcements should be on-topic on oss-security. | Maybe. However, many topics are valid on Bugtraq - not only Open Source | ones. I imagine that someone could be interested in security tool | announcements relevant to Open Source software only. Also, Bugtraq is | so large that few of us would dare to bother its readers with | announcements of new versions of a tool, even fairly major ones. Maybe part of the problem is that I'm not that interested in new tools. The ones I currently have work well enough, and I can only spend so much effort learning new stuff, and there are more interesting new stuff to learn :) | Maybe we need to setup a new oss-sectools list, but I'd rather not go | for it until we start to receive a substantial number of security tool | announcements in here. Sounds good. | As to "sparking discussion", it is impossible to know that in advance. | Yes, you wrote "designed to ..." - does ending a post with "comments, | please?" qualify? If so, that could be used on any announcement - even | on a mostly-PR one. Eh. I'd still lean "no" here. It doesn't seem very likely that "new version of $my_package released with shiny new stuff" is going to generate useful discussion. If, on the other hand, the author of the tool emails the list asking for comments on a new method of vulnerability scanning or similar, which may have been recently added to his/her toolkit, that seems quite germane. | Also, what about those CVE requests - is a single response, assigning | the CVE number, "discussion"? OK, in some cases people actually have | comments. Good point. CVE assignments to oss software clearly belong on-list since they help us all by not duplicating work, even if they aren't strictly discussion. | Of the existing lists, Bugtraq is probably the place for PR. Agreed. | However, some tools could be of specific relevance to oss-security | members - e.g., source code analysis tools and fuzzers. Do you agree? Sure. | Is a moderator supposed to decide whether or not this is the case? Well, I'm not sure. Not being a moderator, I don't know how much work it really is. *If* it is a relatively low workload, I think weeding out the not-as-relevant announces would be very valuable. |> So, was this message, and "SQL_injection detection tool released" held |> for moderation? | | Yes, they were. Good to know. | I don't regret approving these messages - I think that we're having | useful discussion as a result, and I think that it was important for | this group's members to be aware of what was coming to the list (except | for spam). Let's say that these two messages are "samples" of content | that we might or might not want in here. | | My opinion is that moderators are not supposed to define the list's | policy on their own - and we did not (and still do not) have this bit of | policy fully defined. So let's try to take care of that now, or I would | not know what to do if more messages like these two arrive to the list. Agreed. I wasn't intending to pass judgment on the moderators, just wondering. For now, I'll concede that there isn't enough traffic to justify forming a new list. Consequently, I suppose I'm in favor of keeping them on-list. When/if the announcement traffic level changes, perhaps we should revisit. smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREIAAYFAkhFn5UACgkQCG91qXPaRen2WQCeJRbmeWlU3ejUH/yDIPU9Wc2Z fUEAnjEj0IqoXLSmBLXsCMePoG+H3ea1 =4j4N -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.