Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110409203938.GA5955@openwall.com>
Date: Sun, 10 Apr 2011 00:39:38 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Fri, Apr 08, 2011 at 11:40:45AM -1000, akuster wrote:
> Can I get a status on this? (+, -, Ack, Nack)

Postponed.  I'd like to see any support for you getting onto the Linux
distros security contacts list, with reasoning, or/and any other
suggestions on what to do in this case.  Josh - what do you think (as
someone who advocated the setup of a vendor-sec replacement)?

Formally, you sort of qualify (you were on vendor-sec and presumably you
have a Linux distro, although I failed to quickly find a way to see what
kind of software your distro contains).  However, from your own
statement (quoted below), it appears that we're not going to be able to
see whether and how you make intended use of the advance notifications:

> Our advisories are via a paid subscription service so they are not public.

Obviously, this goes against the attempt at transparency, and also it
means that we won't be able to evaluate your need to be on the list in
the same way that we do/should/will for other vendors - e.g., we may
re-check Frugalware and rPath in a few months from now to see if their
security response has sufficiently improved to warrant the advance
notifications to them or not, but what do we do for MontaVista? grant
you an unconditional exception?

You also wrote:

> Our customers require vulnerabilities to be addressed in a timely manner.

So you have contractual relationships with your customers and you're
going to use the advance notifications in your business.  Well, many of
the more open Linux distros also have paying customers, but in your case
this is all you have (if I understood you correctly).

For both kinds of distros, it is possible that the vendor will misuse
the advance notifications to notify their customers before the issue is
disclosed publicly (which normally happens on the CRD).  We ask and hope
that vendors won't do this, but the risk is there.  Arguably, for a
vendor that is not making their advisories and updates public, this
temptation and thus the risk are higher.

Then, a closed Linux vendor like MontaVista, working for their paying
customers only, is somewhat similar to an end-user of Linux who
maintains their own Linux distro in-house.  Where do we draw the line?
Many legal entities vs. one?  I doubt that this is going to work as
desired (and I imagine that different people in here would want it to
work differently anyway).  For example, a large enterprise is likely to
use multiple legal entities.  Substantially same ownership?  This gets
too tricky, non-technical, non-specific, and subject to change.

Clearly, we can't reasonably start to accept end-users of Linux merely
because they build their own distro... or just claim to.

I understand that generalization and reductio ad absurdum may lead to a
logical fallacy, however unfortunately we're setting a precedent here
(one way or the other), so we may need to generalize and consider likely
consequences of the precedent... unless we're happy to drop the list
when it grows too large and maybe start anew, with stricter rules.

Finally, here's an additional aspect/concern.  The list is being setup
as a hopefully better alternative to explicit CC lists.  "Members" of
those lists are picked by whoever reports the issue - this person
could be from one of the distros or it could be an external reporter.
Would many (or any) of those people want to report to MontaVista
specifically (along with other distros) or to closed Linux vendors in
general?  I think not.  I think that having such vendors on the list
would feel like a tax to many reporters, who would have to weigh the
pros and cons of using the exploder (ease of use, an up-to-date list of
contact persons, encryption, but extra vendors notified) vs. direct e-mail
(excluding those who they don't want to or don't care to notify).
I think that many would choose the latter (and end up excluding some of
the open distros as well, even though they would not mind notifying
them), thereby reducing the usefulness of the list.

And you also wrote:

> will revisit the wiki issue soon.

Since you pinged me about the status on your subscription, let me ping
you about the status on the wiki updates as well. ;-)  Any progress?
The pages to update with your info are:

http://oss-security.openwall.org/wiki/vendors
http://oss-security.openwall.org/wiki/distro-patches

Please don't take any of the above personal.  I am just trying to
provide a useful service to the community.  This is a thankless job, and
I'd be happy if someone else does it - and does it better, or just
differently to provide an alternative.  I'd be happy if the alternative
wins, letting me happily shutdown the list.  (I've been privately asked
to provide a hopefully more secure alternative to vendor-sec long before
vendor-sec ceased to exist, but I really did not want to get Openwall
into the mess, nor did I have time for it.  I only felt like I had to do
it when it became clear that the lst.de folks would not host something
like this anymore.)

In fact, MontaVista may host such a list as well, which would include
MontaVista and more... but I would not expect many (maybe even most?)
other distros and reporters to want to write to that list, which would
kind of confirm the problem with having MontaVista on the list.

Please let me know if I misunderstood anything or if you have any
suggestions.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.