Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1496340239333.24020@amazon.com>
Date: Thu, 1 Jun 2017 18:03:59 +0000
From: "Liguori, Anthony" <aliguori@...zon.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: unresponsive distros

Hrm, I've been following the thread but apparently missed your request Solar.

Regards,

Anthony Liguori
________________________________________
From: Solar Designer <solar@...nwall.com>
Sent: Thursday, June 1, 2017 11:00 AM
To: oss-security@...ts.openwall.com
Subject: [oss-security] unresponsive distros

Hi,

A certain issue being handled on the distros list provided for a
particularly good opportunity for me to test whether/which distros are
actually paying attention and intend to respond to issues during the
embargo period.  In the middle of a lengthy thread with a somewhat
generic Subject (since it travels unencrypted), I asked literally all
(and I emphasized that) distros to respond to the thread with status
updates regarding their handling of the issue.  That was on May 27.
I gave distros time until May 30 (Tuesday) to respond.  I then gave them
about 2 days more, as you can see.

Most distros responded, with varying amount of detail.  But 3 did not:

FreeBSD
Amazon Linux AMI
MontaVista Software

We had heard from FreeBSD earlier in the thread, although I would have
expected them to reply to the specific request as well (and I did say so
explicitly).  Maybe it's fatigue from too many encrypted messages, most
of which happen to be focusing on Linux-specific aspects of the issue.
That's not great at all, but it is somewhat understandable.  Part of the
problem is that when an issue is potentially relevant to both *BSD and
Linux, we're rarely careful to separate postings and sub-threads between
the distros and linux-distros lists, resulting in "spamming" (and risk
of leaks) of the Linux-specific aspects to (and via) the *BSD's.  This
is something for us all to improve.  (Some of the sub-threads were in
fact correctly separated to go only to linux-distros in this present
case, though.)

As to Amazon and MontaVista, it is likely they'll have to leave the
distros list for inactivity.

As far as I can tell, last posting/reply on the (linux-)distros list by
Amazon was in July 2016 and before that in November 2014.  As far as I
can tell, MontaVista never posted to the list.  Being a user of the info
only, without participation in discussions, is not strictly disallowed,
but this time it's coupled with lack of response when specifically asked
to respond, and on an issue that is at least potentially relevant to the
distros (not just a responsiveness test).

At this point, there will have to be a very good reason to justify
keeping Amazon and MontaVista on the list.  Is there any?

OTOH, there's just one person subscribed for each of Amazon and
MontaVista, and all messages are encrypted to the recipient's own keys
(but of course the headers are unencrypted, including the Subjects).
So e.g. an unattended mailbox isn't that much of a risk.

I am not going to ping Amazon and MontaVista directly (just like I did
not ping NetBSD directly last month, although others promptly did
anyway).  If they missed the messages on the distros list and also miss
the message here, so be it.

While I am at it: there have been 3624 messages on linux-distros (and a
subset of those on distros) since the list was setup on April 3, 2011
and until today.  That's about 1.6 messages per day on average, but
sometimes there are spikes (like there is now) and sometimes there are
quiet periods.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.