Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120201205459.GA8715@openwall.com>
Date: Thu, 2 Feb 2012 00:54:59 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: distros & linux-distros embargo period and message format

On Fri, Jan 20, 2012 at 01:44:45PM +0400, Solar Designer wrote:
> http://oss-security.openwall.org/wiki/mailing-lists/distros
> 
> to state the following:
> 
> "Please note that the maximum acceptable embargo period for issues
> disclosed to these lists is 14 to 19 days, with embargoes longer than 14
> days (up to 19) allowed in case the issue is reported on a Thursday or a
> Friday and the proposed coordinated disclosure date is thus adjusted to
> fall on a Monday or (preferably) a Tuesday.  Please do not ask for a
> longer embargo.  In fact, embargoes shorter than 14 days are preferable."

I've just revised the last sentence above to say "In fact, embargo
periods shorter than 7 days are preferable."

Can we possibly afford to change the maximum to 7 to 11 days (depending
on day of week)?  That is, 7 days is the standard maximum, up to 11 days
is possible if the issue is reported on a Thursday or a Friday (only in
these two cases).  I am for this change (in both my list member for
Openwall and my list admin capacity).  What about others?

(In fact, I'd prefer an even shorter maximum, but I am proposing what I
think has a chance to be approved by others without making the list a
lot less useful to them.)

Also, I added the following to the wiki page:

"Please note that any/all list postings may be made public once the
corresponding security issue is publicly disclosed, so please do not
post information that you want to stay private forever."

with a footnote that says:

"There was/is intent to be making all list postings public with a delay,
which is currently not yet implemented for technical reasons, but it may
be implemented and applied retroactively - that is, including to past
postings."

Those "technical reasons" are me not being aware of a program to
mass-decrypt an mbox with PGP/MIME messages (producing an mbox with
decrypted messages).  I'd appreciate it if someone finds or writes
this program.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.