Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170702172722.GA14846@openwall.com>
Date: Sun, 2 Jul 2017 19:27:22 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: accepting new members to (linux-)distros lists

On Sat, Jul 01, 2017 at 03:23:07PM -0400, Stiepan wrote:
> I have a general remark on the recent developments on this list, in particular in relation with the "distros" list and especially, focusing on Linux kernel security:
> a core issue at hand seems to be the funding of work that follows due diligence, standards and so forth, which is a top priority, and should be given appropriate importance at the top decision-making level. I think that in that line, applying for institutional funding through calls for H2020 public-private partnerships such as https://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/ds-08-2017.html and similar non-European initiatives - if there are any - would be more than appropriate, as Linux is a core privacy-enhancing technology, in addition to the fact that "Open source and externally auditable solutions are encouraged in order to maximise uptake and increase the trustworthiness of proposed solutions.". By the way, the same would apply for BSDs, where I have a more direct interest, although they do not share Linux's European heritage! ;)

Thank you for thinking outside the box and suggesting this, but no,
"in relation with the "distros" list" (in your words), let's not apply
for any funding.  Here are some reasons why not, in arbitrary order:

1. The costs of hosting one old server for the distros list are small.

2. The effort of administering that system is also small. (*)

3. The effort of handling the administrative tasks is also small - I
shared my estimate of it in the previous message I sent to this thread.

4. I think this effort is best spread across the distros, and that's not
because one entity could not bear the full "cost" (I think many could),
but because we should prefer to have all distros visibly involved and
responsible (if a distro isn't, maybe they shouldn't stay subscribed).

5. The effort that may be put into the technical expertise roles/tasks
is ideally not small, but I think it's best that capable distros
themselves take care of it.  This means they're paying their employees
to do this sort of work for the distros community. (**)

6. Which entity would accept the funding?  How would it distribute the
funds to entities/people doing the actual work?  How transparent would
it be?  At least this adds overhead, but it also brings us to:

7. Let's not unnecessarily add to the controversy and thus to potential
conspiracy theories inherently surrounding embargoes and funding.

(*) I admit there are things we probably could do better with greater
effort.  For example, we could rewrite from scratch and release as Open
Source the encrypted mailing list software, which is currently an awful
hack.  I wouldn't oppose doing that piece of software development under
a separate funded project, if capable people were available for that.
However, I am worried that most teams tasked to work on something like
this would produce a complex monster, which wouldn't otherwise be
directly comparable (as in: is it better or worse? is it more or less
secure?) to the current hack.

(**) A month ago, we also started to accept capable and trusted
volunteers.  I am currently undecided on whether this should change if
some distros accept responsibility for all of the same roles.  It would
seem unfair to use these volunteers' time when the distros are paying
their employees to do similar work, whereas the volunteers join in their
individual capacity independent from their employment.

As to "focusing on Linux kernel security" (also in your words), we
already see how something like this is happening with KSPP.  Various
companies pay their employees to do portions of the work, Linux
Foundation funds a few other people's work, and there are many
volunteers.  All of this is met with criticism, controversy, and
conspiracy theories.  Yet the project proceeds, even if arguably slowly
and inefficiently.  Overall, would it benefit from or be hurt by more
funding, or by an extra funding source?  I don't know.  Funding creates
an incentive to work on and push academic security detached from
real-world threats.  That said, with no formal entity behind KSPP, lucky
people may choose whether and how they want their potential
contributions funded.  I guess someone or a team could apply for a grant
under H2020, then participate in KSPP.  This might or might not be a
good thing.

I think funded work generally has lower efficiency than volunteer work,
and I also think that's fine.  Ditto for coordinated effort rather than
independent work.  Low efficiency is part of the criticism, but I think
this is not entirely justified - that's just how things work in funded
and larger projects (in people count, not LOC).  I say this in relation
to KSPP.  I think we don't need to go for this for the distros list.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.