|
Message-ID: <20140122002913.GA2180@openwall.com> Date: Wed, 22 Jan 2014 04:29:13 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: rf@...eap.de Subject: Re: linux-distros membership Hi Roland, On Mon, Jan 20, 2014 at 05:36:27PM +0100, rf@...eap.de wrote: > >>>>> "Yves" == Yves-Alexis Perez <corsac@...ian.org> writes: > > Thanks again Yves. Unfortunately this doesn't help me with getting the timely > reports about kernel security bugs from the linux-distros list. Can > somebody, who knows the details of the process, please answer what we need > to do, to get on the list? Given that you seem to be interested only in Linux kernel vulnerabilities, I think you're overestimating the value that being on linux-distros will provide to you. There are more Linux kernel vulnerabilities being disclosed on oss-security right away (yes, in public) than those that pass through linux-distros first. Yet you were not on oss-security until after you've posted the request to join linux-distros a week ago. Did you not actually care? Or was someone else from Qlustar subscribed? Asking to join linux-distros before you've been on oss-security for a while (and preferably, having contributed to the discussions in here) is putting the cart before the horse. I did not count them carefully, but I think there are relatively more non-kernel vulnerabilities passing through linux-distros (than kernel ones). Actually, it might be the same ratio as on oss-security, with the difference being that on oss-security you're not unnecessarily exposed to additional sensitive info. Unfortunately, we don't currently have a sub-list for just Linux kernel, and if we set one up it might not work all that well (we already saw some confusion with having distros and linux-distros; adding a third list might make it worse). I found Qlustar security advisories here: https://www.qlustar.com/security-advisories This is great, although I guess in "a Ubuntu/Debian based distro" there are many more vulnerabilities being discovered. How do you choose which packages to issue advisories for? Are they possibly the packages that differ from Ubuntu/Debian (that is, that have your customizations)? At first glance, it appears that about one half of your advisories are about the kernel. Would having about 7 days of advance notice (and at most 19 on some occasions, per list policy) on a small subset of Linux kernel vulnerabilities be of much help in preparing update packages? Would it significantly reduce the window of exposure for your users? e.g., reducing it from 8 days to 1 day is significant, but from 30 days to 23 days is much less so. As to "the details of the process", we don't currently have it fully formalized. We did have a simple process for accepting a subset of old vendor-sec members into the distros and linux-distros lists, but after that point I'm afraid we never arrived at a decision on whether we should introduce a voting/vouching process like vendor-sec had. Instead, we had a few discussions in here, like the one we're having now due to your request. There were several membership requests that I think fell in the grey area, and I think yours does too: it's not unreasonable, but it fails to convince me that Qlustar being on linux-distros would likely significantly benefit the users of your distro. Is anyone else in here convinced? (Genuine question.) Among the criteria we do have is the distro issuing timely security updates and advisories. Qlustar appears to do that, although only for a subset of packages, and I'm unsure how timely the updates are (e.g., if they're late by 30 days, then reducing that by ~7 days doesn't help all that much, as in the example above). Of the distros currently on the list, I find it most difficult to justify (to myself) the membership of MontaVista and Wind River. (This was discussed before.) Qlustar appears similar in some aspects, but without a track record (known to me) of having participated in the security community (which both MontaVista and Wind River have). In fact, I don't recall hearing about Qlustar before (and Google web search finds very little, too). Are Qlustar's security updates (not just security advisories) publicly available? Let's discuss. Roland, your own opinion counts too - it's not just you trying to justify this to the rest of us, but it's us all (including you) trying to arrive at what's deemed the best decision. We have a community here on oss-security, and you're welcome to join us and participate in discussions regardless of whether Qlustar gets on linux-distros or not. Meanwhile, please add Qlustar info to: http://oss-security.openwall.org/wiki/vendors > >> >> I hope this is the right place to ask for inclusion of a > >> >> Qlustar contact in the linux-distros list. Yes, it is the right place. > >> >> Qlustar is a Ubuntu/Debian based distro targeted at > >> >> HPC/Storage/Cloud clusters. We use our own kernels (typically > >> >> based on vanilla) since many years, but have the need to > >> >> supply timely security fixes to our users. So far we have to > >> >> wait for other distros to come out with their announcements > >> >> and then start analyzing the fixes they have done. This leaves > >> >> us/our users with a vulnerability window that is way too > >> >> large, > >> > >> > I can't speak for Ubuntu, but you're welcome to participate in > >> > the Debian security effort. > >> > >> thanks a lot for your offer. Could you explain a little more what > >> participation in the Debian security effort would mean? Note that > >> the issue I currently have is mostly about kernel fixes and we > >> don't use Debian nor Ubuntu kernels. > > Yves> Most of the documentation can be found in the secure-testing > Yves> repository [1] and on the Debian wiki [2]. > > Yves> [1]: > Yves> http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=markup > Yves> [2]: https://wiki.debian.org/Teams/Security Alexander P.S. Somehow your replies arrive as entirely new messages, not as replies to whatever message you're replying to. They lack proper In-Reply-To header. It'd be helpful if you correct that (for further replies), as it is needed for proper threading in the list archives. Normally, In-Reply-To is set if you simply use your mail program's "reply" feature. I don't know why this was not happening for you.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.