Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20191105180406.GA26719@openwall.com>
Date: Tue, 5 Nov 2019 19:04:06 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Membership application for linux-distros - VMware

On Mon, Nov 04, 2019 at 03:03:42PM -0800, Srivatsa S. Bhat wrote:
> I'd like to sign up as primary for Administrative 5: "Determine if the
> reported issues are Linux-specific... ", and as backup for Technical 4.
> "Check if related issues exist in the same piece of software...".

Great.  VMware Photon OS is now signed up for those.

SUSE is now backup (was primary) for Administrative 5: "Determine if the
reported issues are Linux-specific ..."

> (I did consider the other task that you brought up, namely Technical
> 6, but I think we'd need more experience on the list before we can
> sign up for that task).

I thought so too, which is a reason why I also directed that request to
other distros reading our discussion.

> Also, is there a write-up somewhere that defines exactly what primary
> and backup means in this context?

No.

> At the moment, I'm assuming that,
> for a given task, the primary distro will take up that task for every
> issue that gets posted onto linux-distros; and in case the primary is
> unavailable (due to vacation/travel etc), then the backup will step up
> for that task until the primary gets back. Is that how it works?

Yes, and besides that I also expect the backup to watch the list for
related aspects of issues that the primary might have missed or
misunderstood or mishandled, and chiming in as necessary to correct
that.  For example, let's take Administrative task 1:

"Promptly review new issue reports for meeting the list's requirements
and confirm receipt of the report and, when necessary, inform the
reporter of any issues with their report (e.g., obviously not actionable
by the distros) and request and/or propose any required yet missing
information (most notably, a tentative public disclosure date/time) -
primary: CoreOS, backup: Oracle"

Given this, I expect that if there's no response to the issue reporter
and the list by CoreOS within a day, Oracle would respond in their place
even if these distros had not negotiated/announced any vacation/travel
beforehand.  (We tell reporters that they should expect a response
within 48 hours, which leaves about one day for the primary to respond
and another day for the backup to respond in their place if the primary
did not.)  Similarly, I'd expect Oracle to send a follow-up message to
the reporter and the list if CoreOS' response is missing required
information or questions/requests - e.g., the report didn't have a
tentative public disclosure date/time yet CoreOS didn't request that.
I'd also expect Oracle to chime in if they find CoreOS' response wrong -
e.g., if it acknowledged the embargo, whereas Oracle finds the issue
"obviously not actionable by the distros".

> If
> so, will we get to know the contact details of other distros so that
> we can coordinate our schedules?

Yes, but per the above that isn't enough, and it's also less important
than you might have expected.  For distros with more than one person
subscribed, my expectation is that they'll almost always be around to
handle whatever they volunteered for, and the backup's role is primarily
in making sure that the work is being done correctly all the time.

> On a related note, would it be okay for me to request another member
> of the Photon OS team (whom I can vouch for), to be added to the
> linux-distros list, so that we can have at least one person from our
> team always available to take action for our distro, in response to
> the issues disclosed on the list?

Yes.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.