Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110403204433.GB8721@openwall.com>
Date: Mon, 4 Apr 2011 00:44:33 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Sun, Apr 03, 2011 at 01:23:26PM +0200, Miklos Vajna wrote:
> Please subscribe me to the new list. I was a vendor-sec subscriber.

I've tentatively subscribed you, for Frugalware.  However, I am not
convinced that you are / will be making sufficiently good use of the
advance notifications on medium-severity security issues.  I went to
http://frugalware.org and here's what I saw:

1. There are recent non-security package updates (such as yesterday's).
Great.

2. The latest "security announcement" is dated 2011-02-13, and it is for
"opera".  Slightly older ones are for "drupal6-mollom", "wireshark",
"horde-webmail", "wordpress", and even more web apps stuff.  Then we
finally see an update to "kernel" on 2010-12-12.  Surely a distro that
supports running and even includes a web browser and popular web apps
also includes lots of other stuff, common to other distros, however
where are the security updates to those components for the last 3-4
months?  There have been some security bugs in them, including many more
in the kernel since 2010-12-12.  I understand that it's hard to find
time for all of the low and medium severity updates when you're just one
person doing security response for a non-tiny distro, and I understand
that you have a legitimate need for the info.  I am just not convinced
that the risk of "one more person" is justified when you haven't issued
an update for 48 days (or so) whereas the suggested embargo period on
the new list is up to 14 days.

Yet you're on the list for now.  Perhaps try to evaluate your use of the
info that will be arriving to you through the list and ask to be
unsubscribed if you determine that you're not making timely use of the
info anyway.

I must admit that we sometimes have the same problem at Openwall -
non-critical security issues are sometimes not patched for a while, and
we tended not to start preparing security updates for issues discussed
on vendor-sec until the CRD was very close.  We did the latter in part
not to add to the risk of inadvertently disclosing the issue.  This
suggests that the embargoes were unnecessarily too long, though (for us
at least).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.