Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.LRH.1.00.1103081107240.6869@oebafba.bjyevire.pbz>
Date: Tue, 8 Mar 2011 11:19:43 -0500 (EST)
From: R P Herrold <herrold@...river.com>
To: oss-security@...ts.openwall.com
Subject: Vendor-sec hosting and future of closed lists

On Tue, 8 Mar 2011, Josh Bressers wrote:

prior content, not from Josh:
>> We would also be willing to host and maintain a closed vendor-sec style
>> mailing list like the previous one with the only condition for member
>> list to be public (not necessarily the individual contact names but at
>> least the entities represented).

I guess I do not see the reason for such a listing.  The list 
that Josh put together from memory does not include the 
distributions I represented and coordinated vendor-sec matters 
for.  Having such a list just offers better target 
identification of those NOT on the list and thus may lag a 
CRD, no?  How is this beneficial?

> There is also the option of recreating an old style list. This is a bit
> more ad-hoc and Openwall has already offered to host such a thing (Solar
> has quite a bit already in place). I do favor this a bit, as it would make
> a nice compliment to oss-security

I favor such as well - I posted an offer to host such pro bono 
as a neutral vendor (centos inherently trails), but it was 
caught up in the trashing of the old vendor-sec host and so 
did not ever pass the old list.  Openwall's offer is fine by 
me as well.   I mentioned adding opportunistic SSL/TLS 
transport on the mailserver, to cut out casual MitM 
eavesdropping

> 1) Membership management is a pain. Adding new people is annoying and
>   nobody ever leaves.
> 2) Nobody is in charge, which means sometimes issues can get ignored or
>   forgotten (also see #1)

These track together -- mailman or such will cull dead email 
accounts that bounce of course, but that is a pretty mild form 
of management.  Absent a charter to somehow mandate some 
'contribution' to remain on a list, there is not a clear rule 
to 'weed' the list.  But is this really needed except from 
some idea of avoiding 'too many eyes'?  Frankly running a 
distribution is work and for non-commercial distributions, 
unpaid work

If a criteria for remaining on the list is needed, it is 
needed to make sure that eyes are still reading the content -- 
handle that with a periodic 'tracer' piece, and drop 
non-responders

-- Russ herrold
 	(centos, cAos)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.