Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zo8fJWNFia9y2BS8@michel-fedora-PC198L6J>
Date: Wed, 10 Jul 2024 18:54:13 -0500
From: Michel Lind <michel@...hel-slm.name>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros application for CentOS Project's
 Hyperscale SIG

Hi Demi, Mark,
On Wed, Jul 10, 2024 at 04:15:33PM -0500, Mark Esler wrote:
> On Wed, Jul 10, 2024 at 03:51:44PM -0400, Demi Marie Obenour wrote:
> > On Wed, Jul 10, 2024 at 11:23:56AM -0500, Michel Lind wrote:
> > > I am submitting this application on behalf of CentOS Project's Hyperscale SIG.
> > > 
> > > Myself (Michel Lind), as well as Davide Cavalca and Neal Gompa (SIG co-chairs), would be joining if approved.
> > >   https://sigs.centos.org/hyperscale/sig/membership/
> > > 
> > 
> > I know that at least Neal Gompa is also a Fedora developer.  Would it
> > be permissible for him to also handle security patches for Fedora, if
> > Fedora is also affected?

All three of us are Fedora developers - but AIUI, we will not and can not use
membership here to contribute Fedora patches - until the embargo is
over.

For Hyperscale itself we plan to use the head start to have local builds
ready to go, and commit and do a public build as soon as the embargo is
over; if it needs collaboration we can use private Git repos and E2EE
private chats to discuss the fix among ourselves.

This is, to the best of my knowledge, similar to how AlmaLinux handles
embargoed security issues - the fix is ready to go but is only made
available once the embargo is lifted.

Now - wearing our Fedora hats, we certainly would try and help get this
fixed in Fedora once the embargo is over (as we've done before) - and
knowing a CVE is going to be made public would certainly help (e.g.
trying to make sure one of us is around) - but we won't be participating
in the list wearing our Fedora hat, or discuss embargoed issues with
people not on the list.

> 
> I am curious what this could mean for Fedora Asahi Remix [0], as the
> applicants maintain both distros.
> 
> Is there interest in the Asahi SIG applying as well?
> 
> I heartily endorse the applicants membership request and appreciate
> their work. Hooray for ARM \o/
> 
So... if this works for Hyperscale, we could potentially discuss with
other Fedora developers about having Fedora itself be represented in
linux-distros. Something to bring up at Flock! There's already some
discussion of this in the Fedora Security Matrix room w.r.t. last week's
OpenSSH CVE.


Best regards,

-- 
 _o) Michel Lind
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.