Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190706193737.GA23344@openwall.com>
Date: Sat, 6 Jul 2019 21:37:37 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros membership application - Microsoft

Hi all,

Per our current policy and precedents, I see no valid reasons not to
subscribe Microsoft (or part(s) of it, see below) to linux-distros.  So
I intend to figure out some detail and proceed with the subscription.

The only voiced reasons not to, such as in Georgi Guninski's posting and
in comments on some technology news sites that covered Microsoft's
request, are irrelevant per our currently specified membership criteria.

Besides, (at least to me) Microsoft doesn't look all that different from
many other large corporations, including some which already have their
Linux distro teams represented on the list.  Microsoft has a lasting
stigma from its past actions from long ago.  IMO, we shouldn't let that
result in a biased decision against current Microsoft, effectively
favoring other corporations who might not be any better currently, but
just don't have that established stigma.

On Fri, Jun 28, 2019 at 01:08:12PM -0400, Sasha Levin wrote:
> Can I suggest that we fork the discussion around security-bugs.rst to
> LKML? I can suggest an initial patch to address your comments here but I
> think that this is better handled on LKML.

Yes, please.

> Microsoft's history with Linux is a rather recent one. I can offer the
> following examples if you're willing to give us a few months off of the
> "1 year" requirement:
> 
> CVE-2018-1002105: 
> https://azure.microsoft.com/en-us/updates/aks-clusters-patched-for-kubernetes-vulnerability/
> CVE-2018-5391, CVE-2018-5390: 
> https://azure.microsoft.com/en-us/blog/security-bulletin-for-august-2018/
> CVE-2019-5736: 
> https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
> CVE-2019-11477, CVE-2019-11478, CVE-2019-11479: 
> https://azure.microsoft.com/en-us/updates/security-advisory-on-linux-kernel-tcp-vulnerabilities-for-hdinsight-clusters/

The oldest of these is August 8, 2018, which is just 1 month short of
the 1 year term.  I suppose we could either give Microsoft this 1 month
off as you suggest based on Microsoft's track record of promptly dealing
with security issues in non-Linux products, or subscribe Microsoft to
linux-distros in August 2019 (or later).

More importantly, maybe we shouldn't list "Microsoft" as a member of
linux-distros.  Microsoft is so much more than the recent Linux-based
products and services.  We similarly list "Amazon Linux AMI" rather than
"Amazon", and "Chrome OS" rather than "Google" (and we had separately
listed "Android", which has since unsubscribed), and "Ubuntu" rather
than "Canonical".  OTOH, we were not as careful to list proper products,
etc. for some others such as "Oracle".

If we list "Microsoft", this might be especially confusing since issues
being reported might also be relevant to Windows.  The reporters need to
know they're not reaching Windows security team unless they specifically
authorize that.

Any suggestions on the above?

Regardless, the list policy only allows use of the information for
"getting the issue fixed for your distro's users and, only in rare
extreme cases, for deployment of maximally non-revealing changes to
maintain security of your distro's infrastructure most essential to the
distro users' security in face of the security issue being dealt with.
The need-to-know condition is met only if the person needs to
participate in one of these two activities."  This is meant to preclude
sharing within the organization beyond its parts responsible for the
"distro" the organization is subscribed for.

> On Fri, Jun 28, 2019 at 02:57:43PM +0200, Solar Designer wrote:
> >If Microsoft joins for its Linux offerings (including Linux on top of
> >Windows), then checking if the Linux issues also affect Windows (itself)
> >would involve sharing beyond the need-to-know condition of
> >(linux-)distros list policy, so isn't allowed by default.  It could
> >still be done with explicit approval of the reporter, though, and I
> >expect most people would give such approval if asked.
> 
> I'd love to develop a framework that would allow for sharing of reports
> between linux-distros/security@.../MSRC given the explicit approval of
> the reporter. I think that the current "silo" model is broken.
> 
> Microsoft in general, and MSRC in particular have proved during
> Meltdown/Spectre that they are a trusted entity which can work well with
> the open source community to advance our common goals. 

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.