Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110917055353.GB19260@openwall.com>
Date: Sat, 17 Sep 2011 09:53:53 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: closed-list membership transition

On Fri, Sep 16, 2011 at 10:53:40AM -0700, Kees Cook wrote:
> My last day with Canonical is today. Starting on Sep 19th, I will be
> working for Google on ChromeOS. I'd like to transition my closed-list
> membership based on the fact that ChromeOS is also a distro, and I'll
> still have security responsibilities with it. How should this be handled?

The initial seed membership for the closed list was limited to distros
who were on the old vendor-sec (and additionally limited to Linux only).

I think it's in fact time for us to start accepting other qualifying
Linux distros.

One of the criteria should be that the distro is generally available
(not limited to just one organization).  Another is that it should be
issuing timely security updates.  And, without the "was on vendor-sec"
requirement, we'll need someone to vouch for each new distro member and
first person to subscribe from that new distro.  (Then that person can
nominate additional contact persons for the distro.)

I think that Chrome OS qualifies.  As far as I can see, it's generally
available now: http://getchrome.eu/download.php

Also, I am happy to vouch for Kees.  (I would vouch for other Chrome OS
security people I know as well, but this specific request is from Kees.)

So I'd like Chrome OS and Kees in particular to be on the closed Linux
distros list, to receive advance notification of up to 14 days on medium
severity issues (this is what the list is for).

I'd appreciate any comments on any of the above (support, objections,
anything else).

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.