Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Mar 2012 20:07:46 +0400
From: Solar Designer <>
Subject: Re: running the distros lists

On Tue, Mar 13, 2012 at 12:44:03PM +0100, Thomas Klausner wrote:
> On Tue, Mar 13, 2012 at 06:53:04AM +0400, Solar Designer wrote:
> > What I'd like to be happening is for some list member(s) (not too many
> > of them) to be proposing a CRD for each reported issue on the day it is
> > reported.  Then those member(s) need to stay on top of all open issues
> > and ensure the CRDs are met (if necessary, adjusting the CRDs as long as
> > the list's limit permits).  Quite often, this will involve negotiations
> > with other list members, with the reporter, with upstream(s), and with
> > various other parties (such as related projects and distros who are not
> > on the list).  Yes, this does sound CERT'ish. ;-)
> Does this person contact upstream(s)?
> If not, who does?
> Does this person contact downstreams?

I think that ideally the person would (try to) identify the upstreams,
downstreams, and other affected projects to contact, ask the reporter
for approval, upon the approval inform those other projects that there's
a security issue and ask them if they'd like more info and if they're OK
with the proposed maximum embargo period (CC'ing the list on those
preliminary notifications), and if they accept then finally pass the
actual info on to them (also CC'ing the list) and add them to the CC
list on further correspondence.

> Or are they assumed to read distros@?


> What if an up- or downstream claims to need longer (confer a recent issue)?

If they want more time than we can give them, then we can choose between
leaving them out of the loop and giving them whatever time we can give
them (less than they want) - or we can leave this choice up to them.
They may be unhappy and say that we're being irresponsible, but I see no
obviously better approach.  Keeping issues embargoed for weeks or months
is not obviously any less irresponsible.

With the example that I guess you're referring to (which we may discuss
in public in more detail once the corresponding issue is finally
public), the reporter notified related projects (not on the distros
list) without informing them of the maximum embargo period at the time,
so they assumed they had plenty of time.  In my proposal above, I am
trying to address this by asking other projects to accept the terms
first (before being exposed to the vulnerability details).
Unfortunately, that won't always work - e.g., a reporter not aware of
this procedure of the distros list may contact other projects on his/her
own and thereby create certain implied expectations on their part...

I guess there's no perfect solution to this.

> When CRD happens, who publishes what where?

Everyone is free to publish via their usual channels (e.g., distro
updates and advisories), plus I think we must start publishing all
issues on oss-security.  It would also be nice to include a timeline
along with every issue that was initially discussed in private.  I'd be
happy if those distros list member(s) volunteering to help run the list
would also accept the responsibility to post about each and every issue
being made public to oss-security.

> Or is it just a free-for-all afterwards?

Yes, but I think we should also have the mandatory publication on

> Just off the top of my head :)

That was a very useful set of reminders, thank you!


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.