Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 6 Jul 2019 18:29:36 -0400
From: Sasha Levin <>
Subject: Re: linux-distros membership application - Microsoft

On Sat, Jul 06, 2019 at 09:37:37PM +0200, Solar Designer wrote:
>Hi all,
>Per our current policy and precedents, I see no valid reasons not to
>subscribe Microsoft (or part(s) of it, see below) to linux-distros.  So
>I intend to figure out some detail and proceed with the subscription.

Thank you.


>On Fri, Jun 28, 2019 at 01:08:12PM -0400, Sasha Levin wrote:
>> Can I suggest that we fork the discussion around security-bugs.rst to
>> LKML? I can suggest an initial patch to address your comments here but I
>> think that this is better handled on LKML.
>Yes, please.

Sure, give me a day or two to get it out. I'll cross-post
LKML/ksummit-discuss/oss-security as I think it's one of those times it
actually makes sense.

>> Microsoft's history with Linux is a rather recent one. I can offer the
>> following examples if you're willing to give us a few months off of the
>> "1 year" requirement:
>> CVE-2018-1002105:
>> CVE-2018-5391, CVE-2018-5390:
>> CVE-2019-5736:
>> CVE-2019-11477, CVE-2019-11478, CVE-2019-11479:
>The oldest of these is August 8, 2018, which is just 1 month short of
>the 1 year term.  I suppose we could either give Microsoft this 1 month
>off as you suggest based on Microsoft's track record of promptly dealing
>with security issues in non-Linux products, or subscribe Microsoft to
>linux-distros in August 2019 (or later).

Whatever list admins/members are comfortable with.

>More importantly, maybe we shouldn't list "Microsoft" as a member of
>linux-distros.  Microsoft is so much more than the recent Linux-based
>products and services.  We similarly list "Amazon Linux AMI" rather than
>"Amazon", and "Chrome OS" rather than "Google" (and we had separately
>listed "Android", which has since unsubscribed), and "Ubuntu" rather
>than "Canonical".  OTOH, we were not as careful to list proper products,
>etc. for some others such as "Oracle".
>If we list "Microsoft", this might be especially confusing since issues
>being reported might also be relevant to Windows.  The reporters need to
>know they're not reaching Windows security team unless they specifically
>authorize that.
>Any suggestions on the above?

Yes, this is tricky. Maybe "Microsoft Linux Systems Group"? Thats our
group name within Microsoft. I guess that we can also add a short wiki
page with references to the products/distros we support as well as a
clarification that this has nothing to do with Windows and list MSRC's
contact information.

>Regardless, the list policy only allows use of the information for
>"getting the issue fixed for your distro's users and, only in rare
>extreme cases, for deployment of maximally non-revealing changes to
>maintain security of your distro's infrastructure most essential to the
>distro users' security in face of the security issue being dealt with.
>The need-to-know condition is met only if the person needs to
>participate in one of these two activities."  This is meant to preclude
>sharing within the organization beyond its parts responsible for the
>"distro" the organization is subscribed for.

As I've indicated before, we intend to follow the list's policies.
Information obtained from the list will be used only for the purposes
listed in our original application, and any additional future use will
go through the list for approvals first.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.