Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140608111542.GA12848@openwall.com>
Date: Sun, 8 Jun 2014 15:15:42 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: transparency on message moderation

Hi,

Among all the rants on OpenBSD lists, Theo de Raadt happened to
indirectly remind me that more transparency is needed regarding message
moderation on oss-security.  Yes, a positive effect of the rants, no
matter how dirty they were.  Thank you, Theo!  The message below focuses
on Kurt Seifried's role, although that is only a side-effect of how the
discussion unfolded.  By posting this to oss-security, I mainly want to
increase transparency on how oss-security message moderation works in
general.  I also like to take this opportunity to thank Kurt Seifried,
Josh Bressers, and Vincent Danen for their help approving obviously
on-topic oss-security postings sometimes quicker than I do.  (Kurt and
Josh are current co-moderators, Vincent was a co-moderator before.)
As I explain below, only a small subset of postings actually get held
for moderation, yet processing them quicker is highly desirable.

Here's what I've just posted to a thread on OpenBSD misc and tech lists:

On Fri, Jun 06, 2014 at 10:26:48AM +0400, Solar Designer wrote:
> On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote:
> > Kurt and Solar --
> > 
> > You are the primary contacts for the oss-security email list.
> 
> Kurt is not.

Sorry for going slightly off-topic, since this is not an OpenBSD thing,
but I think it's appropriate to post the below in here.

I think I need to clarify Kurt's exact role on oss-security and distros,
given how suspicious people are and for the sake of transparency, even
though I find this otherwise irrelevant to the issue at hand.  BTW, I
am not CC'ing this to Kurt because we managed to offend him so much that
he doesn't want to receive these e-mails anymore.  I'll post the main
content of this message to oss-security as well, crediting Theo for the
indirect reminder that more transparency is needed.

On the linux-distros lists, Kurt is one of the members from Red Hat.
He has no special privileges there.  Kurt happens to be assigning CVE
IDs from Red Hat's pool when people (those reporting vulnerabilities
externally and/or other list members) ask for those.

Kurt used to be assigning CVE IDs from Red Hat's pool on the public
oss-security list as well.  He was doing this for a long while, and I
think is well recognized for that.  Now MITRE takes care of this.

Kurt currently has co-moderator privileges on oss-security, for the sole
purpose of approving obviously on-topic messages from new addresses (not
yet pre-approved), especially when I am not around (but usually I am).
This minimizes delivery delays.  This does not make Kurt a "primary
contact" for the list - it's a rather limited and technical role, and an
unpleasant one (since most messages in the moderation queue are spam),
that Kurt at some point agreed to help with (but may resign from it
anytime).  Another current co-moderator on oss-security is Josh
Bressers.  Both Kurt and Josh are from Red Hat.  The set of
co-moderators is occasionally changing as people volunteer or resign.
I think I should adopt a practice to announce such changes on
oss-security itself right away, for the sake of transparency, even
though the additional co-moderators (everyone besides me) only approve
obvious on-topic messages and don't reject anything, so the
responsibility for the list's policies remains mine (and I am the only
one to blame).

"Conspiracy theorists" may now say that this is a "privilege" that
provides (a few hours of?) advance notification, and that messages may
be deliberately delayed.  I've heard such claims about Bugtraq (they
might or might not be right).  On oss-security, most messages are from
pre-approved senders (so they get posted right away, with no ability for
a co-moderator to even see them before they're sent to everyone), and
the few that get into the moderation queue are approved quickly (from
minutes to hours, but not days - whenever I or a co-moderator gets a
chance to check our e-mail and confirm that the message is not spam and
is on-topic).  Such concerns could apply to Bugtraq (and do apply, as
we've seen from some public criticism of Bugtraq) and to FD as well.
I think they apply to oss-security to a smaller extent, because a lot of
people (who post to oss-security) actually know that delays are usually
non-existent or, when they do occur, are much smaller than those on
Bugtraq (and likely smaller than those on FD as well, but I'd need to
actually analyze the data to make sure).  (I do think Bugtraq's delays
are often unacceptable, regardless of why they occur.)

As far as I'm aware, no oss-security posting was ever abusively delayed.
There are some rare occasions where a posting is questionable (neither
obviously on-topic nor obviously off-topic) and a moderation decision
takes time to make - e.g., sometimes I contact the sender to have them
clarify why their posting would be appropriate for oss-security.  In
those cases, as well as even for obviously off-topic messages, the
co-moderators do nothing, and I handle these (almost always same day).
IIRC, none of these were vulnerability reports in open source software.
I do recall some that were vulnerability reports in closed source
software (and this needed to be clarified before they got rejected as
off-topic).  When such misdirected reports happen, we don't make use of
the information in the rejected postings (and the sender typically posts
to FD or/and Bugtraq).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.