Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5346A1C3.4000409@amazon.com>
Date: Thu, 10 Apr 2014 06:50:59 -0700
From: Anthony Liguori <aliguori@...zon.com>
To: Solar Designer <solar@...nwall.com>, <oss-security@...ts.openwall.com>
CC: Matt Wilson <msw@...zon.com>, Max Spevack <spevack@...zon.com>
Subject: Re: Request for linux-distros list membership

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/14 23:25, Solar Designer wrote:
> On Wed, Apr 09, 2014 at 11:57:33PM -0600, Kurt Seifried wrote:
>> So first off I'm inclined to have Amazon on the distros list
>> (same reasons as Oracle basically).
>> 
>> My only concern is are you the correct person, I have no clue who
>> is on the Amazon security team for their Linux distribution, I've
>> never seen you post anything anywhere.
>> 
>> Your search - site:aws.amazon.com Anthony Liguori - did not match
>> any documents.
>> 
>> Your search - site:aws.amazon.com aliguori@...zon.com - did not
>> match any documents.
>> 
>> Can we somehow get confirmation from Amazon that this is the
>> right person to have on distros? Thanks.
> 
> Yes, we need this sort of confirmation.  My other concerns are:

Matt commented earlier.  Max will also confirm.  Is that sufficient?

Between the three of us, there should be enough public evidence and
enough people already on the list who have worked with one of us in
the past.

> I think Amazon has never participated in discussions on
> oss-security. Searching:
> 
> site:openwall.com "amazon.com"

We typically post to mailing lists from personal addresses due to
DKIM.  I don't know if we have participated or not previously.  I have
certainly participated in the past regarding QEMU security
vulnerabilities but that would be with my previous employer and/or my
personal address.

> finds only Anthony's request for distros list membership and some 
> irrelevant pages outside of the oss-security archive.  It doesn't
> find any oss-security postings from any Amazon person (although
> checking the subscriber list I see that some were subscribed, at
> various times).
> 
> As I said in:
> 
> http://www.openwall.com/lists/oss-security/2014/01/22/1
> 
> "Asking to join linux-distros before you've been on oss-security
> for a while (and preferably, having contributed to the discussions
> in here) is putting the cart before the horse."
> 
> The distros and linux-distros lists exist as an addition to 
> oss-security.  It is pointless for a distro to be on 
> distros/linux-distros while not also being on oss-security.
> Granted, Anthony has just joined oss-security (welcome!), yet the
> sudden interest in advance notification while apparently not caring
> about timely notification (on just-made-public issues) just a week
> ago is suspicious.

That's a fair point.  We have other mechanisms to get security
bulletins but more of our folks should subscribe to oss-security too
(and that's why I'm subscribed now :-)).

> Where's the info on Amazon Linux AMI security updates?

http://aws.amazon.com/amazon-linux-ami/security-bulletins/

> How timely were they, historically?  (In other words, does a few
> days of advance notice really make a difference?)

A few days of advance notice enables us to respin our AMI instead of
just providing a package update.  That's a big difference for our users.

> How are users being notified of them?

We use the page above, the MOTD in the actual AMI, and the RSS feed
from the bulletin page.

> How are users supposed to install them?

Via yum.  We also auto-install critical updates on boot if the user
chooses to enable that.  We also respin the AMI if the vulnerability
is critical enough to ensure that new launches are patched.

> I notice that Amazon was added to 
> http://oss-security.openwall.org/wiki/vendors in 2012.  That's
> good, indicating some past interest in security notifications.
> 
> https://aws.amazon.com/amazon-linux-ami/security-bulletins/ lists 
> security bulletins, including already on Heartbleed.

Indeed.

> This addresses some of my questions above, yet I'd appreciate
> direct answers from Anthony as well.

Hopefully I answered what you were looking for.  I am more than happy
to answer additional questions.

> We were not convinced about Qlustar being on linux-distros being
> worth the risk, so we never satisfied Roland's request.  If we're
> to satisfy Anthony's request and add Amazon to linux-distros, we
> need to clearly show how it meets a higher threshold.

Understood.  We appreciate the consideration.

Regards,

Anthony Liguori

> Thanks,
> 
> Alexander
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTRqG/AAoJEBqtxxBWguX/xRIH/jm4uFZ5fSrPQZ62WbHTGfJN
xnjGCaNu4wQhISoasL8l/mC9+TVOl/ATVv2FsUj2EkTBdla3mjCfSjEkDiA+1DV3
a1Do9k0o1Zf69WP37fcsxSTJ5nxCouduz/99nllgDPB3DLMxo7RoPrevfE6E20bi
HA/5kVyXqWI5xlwK1T0PEpjugxAew6iojSsIPTopkAnCLjMFkl2cw7/s/BRehFva
2pSNeqOwt3UlbGHW6golVoQZGMKQMBfg+V2LvF+0Fi42Knyc6gGcd8gHAwwBrVmp
g7Yi2mb2z3DlOuI+98hZkWZmcAXbcBPrhwmn5hGEaVkJbAhlzVdkqN0RY6fcQfY=
=M9Dy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.