Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87twxdb7d1.fsf@mid.deneb.enyo.de>
Date: Sun, 22 Mar 2015 12:26:50 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: membership request  to the closed linux-distros security mailing list

* Solar Designer:

> Oh, and I need to announce that one distro left the list earlier this
> month: the person previously subscribed for Android determined that "the
> mail going to those lists hasn't been actionable" for Android.

Well, this can mean basically anything.  Maybe they can't do embargoes
at all, considering how fixed software is delivered to end users.

> 3. Setup a separate list for primarily non-free software and primarily
> non-software vendors.  Of the existing linux-distros members, maybe
> Amazon Linux AMI, MontaVista, and Wind River should be moved there.

Huh?  Isn't Amazon Linux AMI just a piece of software?

Montavista and Wind River are subsidies of Cavium and Intel, and the
parent company product security teams should be on a
(linux-)distros-type list anyway.

> The idea behind such list is that we'd let people decide who they want
> to notify: all distros (including this separate list) or just the more
> free'ish subset (not including this separate list).

Why would you give priority to a free-ish distributions?  What's the
goal?  We are all on the same Internet, which is why I fail to see the
benefit of distributing vulnerability information according based on
this criterion.

> And indeed, the separation between these sub-lists is unclear.  There
> will always be doubts where a given vendor belongs.  For example, to me
> Red Hat is free enough to be on the privileged sub-list, but someone
> might disagree.

Being commercial hopefully means that your security team members don't
need an actual job that pays the bills, which may create additional
obligations.  If the security team is just a bunch of volunteers, you
have different potential for conflicts of interest (not sure what's
worse, an additional job, or commercial pressures).

> Comments?

What's happening on the distros list these days?  Who are the primary
contributors?  Are there discussions about technical details?  Or is
it just CRD coordination?  Or do people just drop off pre-advisories?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.