|
Message-ID: <cc557953-68e0-4e47-ac66-d3a98278864e@almalinux.org> Date: Mon, 15 Jul 2024 11:46:39 -0500 From: Jonathan Wright <jonathan@...alinux.org> To: oss-security@...ts.openwall.com Subject: Re: linux-distros application for CentOS Project's Hyperscale SIG Just to confirm, I'm more than happy to vouch for Michel, Davide, and Neal. I've been working with all 3 for a couple of years now and they're an excellent fit for the list. On 7/10/2024 6:54 PM, Michel Lind wrote: > Hi Demi, Mark, > On Wed, Jul 10, 2024 at 04:15:33PM -0500, Mark Esler wrote: >> On Wed, Jul 10, 2024 at 03:51:44PM -0400, Demi Marie Obenour wrote: >>> On Wed, Jul 10, 2024 at 11:23:56AM -0500, Michel Lind wrote: >>>> I am submitting this application on behalf of CentOS Project's Hyperscale SIG. >>>> >>>> Myself (Michel Lind), as well as Davide Cavalca and Neal Gompa (SIG co-chairs), would be joining if approved. >>>> https://sigs.centos.org/hyperscale/sig/membership/ >>>> >>> I know that at least Neal Gompa is also a Fedora developer. Would it >>> be permissible for him to also handle security patches for Fedora, if >>> Fedora is also affected? > All three of us are Fedora developers - but AIUI, we will not and can not use > membership here to contribute Fedora patches - until the embargo is > over. > > For Hyperscale itself we plan to use the head start to have local builds > ready to go, and commit and do a public build as soon as the embargo is > over; if it needs collaboration we can use private Git repos and E2EE > private chats to discuss the fix among ourselves. > > This is, to the best of my knowledge, similar to how AlmaLinux handles > embargoed security issues - the fix is ready to go but is only made > available once the embargo is lifted. > > Now - wearing our Fedora hats, we certainly would try and help get this > fixed in Fedora once the embargo is over (as we've done before) - and > knowing a CVE is going to be made public would certainly help (e.g. > trying to make sure one of us is around) - but we won't be participating > in the list wearing our Fedora hat, or discuss embargoed issues with > people not on the list. > >> I am curious what this could mean for Fedora Asahi Remix [0], as the >> applicants maintain both distros. >> >> Is there interest in the Asahi SIG applying as well? >> >> I heartily endorse the applicants membership request and appreciate >> their work. Hooray for ARM \o/ >> > So... if this works for Hyperscale, we could potentially discuss with > other Fedora developers about having Fedora itself be represented in > linux-distros. Something to bring up at Flock! There's already some > discussion of this in the Fedora Security Matrix room w.r.t. last week's > OpenSSH CVE. > > > Best regards, >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.