Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 23 Jan 2024 01:42:05 +0100
From: Solar Designer <>
Subject: Re: announcing sponsorship; distros list statistics for 2023


Here's an update:

All components of the oss-security and (linux-)distros infrastructure,
including not only the mailing lists but also the web archive and wiki,
have recently been migrated to new hosting location in the Netherlands.
Due to this location and the proximity to AMS-IX, the websites should
now feel a bit faster from many parts of the world.

This migration was done in several stages, and (due to low DNS RR TTLs
and old resources staying up for a while) should have been transparent.
I anticipate some further transparent, behind-the-scenes changes this
year, such as for better preparedness to restore resources onto backup
infrastructure within a day if we ever have to.

Some further updates inline:

On Mon, Nov 06, 2023 at 09:26:21PM +0100, Solar Designer wrote:
> After 15+ years of being a 100% volunteer effort, Openwall's maintenance
> of oss-security and (linux-)distros is finally sponsored by the OpenSSF,
> a project of the Linux Foundation.  This sponsorship does not provide
> the Linux Foundation with the ability to set policies for community
> resources managed by Openwall.  I am grateful for the support, which
> will help ensure continued operation of these resources on a new level
> while retaining independence.
> As part of the sponsored effort, Openwall (currently me) took
> responsibility for the "statistics" contributing-back task:
> "Keep track of per-report and per-issue handling and disclosure timelines
> (at least times of notification of (linux-)distros and of public
> disclosure on oss-security), at regular intervals produce and share
> statistics (most notably, the average embargo duration) as well as the
> input data (except on issues that are still under embargo) by posting to
> oss-security - primary: Openwall, backup: vacant"
> At different times, this time-consuming task was handled by Gentoo and
> later by Amazon (thanks!) but was lately left unhandled.  Due to the
> sponsorship, I've now retroactively produced statistics for 2023 so far:

The statistics above now cover all of 2023, with 93 total reports.

> As expected, this uncovered a few mishandled issues, which I've recently
> pushed out to oss-security.  That's why there are several reports (out
> of a total of 86) with embargo duration way in excess of the allowed
> maximum.  This inflated the average duration accordingly, but the median
> stayed sane at 7 days.  This is also why we need to, and now will, take
> care of the statistics task in real time, not only retroactively, so
> that any mishandling is identified and corrected promptly.

No further issues were mishandled like that.

> Also for the first time (something I haven't seen Gentoo and Amazon do)
> included are the source files I manually created based on review of the
> e-mail threads and external resources referenced from there.  These
> files were processed with the also included (and permissively licensed)
> Perl script I wrote, so that others can reproduce the calculations or
> easily process the data differently.

I continued to add these, so we now have all 12 of these for 2023.

Also, the headers-only archives of the private lists last announced in:

have since been updated to cover the period through the end of 2023.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.