Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20231106202621.GA31244@openwall.com>
Date: Mon, 6 Nov 2023 21:26:21 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: announcing sponsorship; distros list statistics for 2023

Hi,

After 15+ years of being a 100% volunteer effort, Openwall's maintenance
of oss-security and (linux-)distros is finally sponsored by the OpenSSF,
a project of the Linux Foundation.  This sponsorship does not provide
the Linux Foundation with the ability to set policies for community
resources managed by Openwall.  I am grateful for the support, which
will help ensure continued operation of these resources on a new level
while retaining independence.

As part of the sponsored effort, Openwall (currently me) took
responsibility for the "statistics" contributing-back task:

"Keep track of per-report and per-issue handling and disclosure timelines
(at least times of notification of (linux-)distros and of public
disclosure on oss-security), at regular intervals produce and share
statistics (most notably, the average embargo duration) as well as the
input data (except on issues that are still under embargo) by posting to
oss-security - primary: Openwall, backup: vacant"

At different times, this time-consuming task was handled by Gentoo and
later by Amazon (thanks!) but was lately left unhandled.  Due to the
sponsorship, I've now retroactively produced statistics for 2023 so far:

https://oss-security.openwall.org/wiki/mailing-lists/distros/stats/2023

As expected, this uncovered a few mishandled issues, which I've recently
pushed out to oss-security.  That's why there are several reports (out
of a total of 86) with embargo duration way in excess of the allowed
maximum.  This inflated the average duration accordingly, but the median
stayed sane at 7 days.  This is also why we need to, and now will, take
care of the statistics task in real time, not only retroactively, so
that any mishandling is identified and corrected promptly.

Also for the first time (something I haven't seen Gentoo and Amazon do)
included are the source files I manually created based on review of the
e-mail threads and external resources referenced from there.  These
files were processed with the also included (and permissively licensed)
Perl script I wrote, so that others can reproduce the calculations or
easily process the data differently.

Stay tuned for further updates.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.