Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <cc557953-68e0-4e47-ac66-d3a98278864e@almalinux.org>
Date: Mon, 15 Jul 2024 11:46:39 -0500
From: Jonathan Wright <jonathan@...alinux.org>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros application for CentOS Project's
 Hyperscale SIG

Just to confirm, I'm more than happy to vouch for Michel, Davide, and 
Neal.  I've been working with all 3 for a couple of years now and 
they're an excellent fit for the list.

On 7/10/2024 6:54 PM, Michel Lind wrote:
> Hi Demi, Mark,
> On Wed, Jul 10, 2024 at 04:15:33PM -0500, Mark Esler wrote:
>> On Wed, Jul 10, 2024 at 03:51:44PM -0400, Demi Marie Obenour wrote:
>>> On Wed, Jul 10, 2024 at 11:23:56AM -0500, Michel Lind wrote:
>>>> I am submitting this application on behalf of CentOS Project's Hyperscale SIG.
>>>>
>>>> Myself (Michel Lind), as well as Davide Cavalca and Neal Gompa (SIG co-chairs), would be joining if approved.
>>>>    https://sigs.centos.org/hyperscale/sig/membership/
>>>>
>>> I know that at least Neal Gompa is also a Fedora developer.  Would it
>>> be permissible for him to also handle security patches for Fedora, if
>>> Fedora is also affected?
> All three of us are Fedora developers - but AIUI, we will not and can not use
> membership here to contribute Fedora patches - until the embargo is
> over.
>
> For Hyperscale itself we plan to use the head start to have local builds
> ready to go, and commit and do a public build as soon as the embargo is
> over; if it needs collaboration we can use private Git repos and E2EE
> private chats to discuss the fix among ourselves.
>
> This is, to the best of my knowledge, similar to how AlmaLinux handles
> embargoed security issues - the fix is ready to go but is only made
> available once the embargo is lifted.
>
> Now - wearing our Fedora hats, we certainly would try and help get this
> fixed in Fedora once the embargo is over (as we've done before) - and
> knowing a CVE is going to be made public would certainly help (e.g.
> trying to make sure one of us is around) - but we won't be participating
> in the list wearing our Fedora hat, or discuss embargoed issues with
> people not on the list.
>
>> I am curious what this could mean for Fedora Asahi Remix [0], as the
>> applicants maintain both distros.
>>
>> Is there interest in the Asahi SIG applying as well?
>>
>> I heartily endorse the applicants membership request and appreciate
>> their work. Hooray for ARM \o/
>>
> So... if this works for Hyperscale, we could potentially discuss with
> other Fedora developers about having Fedora itself be represented in
> linux-distros. Something to bring up at Flock! There's already some
> discussion of this in the Fedora Security Matrix room w.r.t. last week's
> OpenSSH CVE.
>
>
> Best regards,
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.