|
Message-id: <1203350843.25839.TMDA@linsec.ca>
Date: Mon, 18 Feb 2008 09:06:09 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: xvendor@...ts.openwall.com
Subject: Re: "going public"
* [2008-02-18 10:23:03 +0100] Sebastian Krahmer wrote:
>> The purpose is to discuss cross-vendor (thus the name) issues. This is
>> not limited to security problems, and indeed it was meant as an addition
>> to vendor-sec to be able to discuss other issues as well - such as license
>> problems with upstream cdrecord or lack of upstream maintenance of cron.
>> Things like that.
>>
>> > 3. vendors are only willing to post private patches if its a closed list
>> > and they know who is subscribed
>>
>> As soon as vendors are releasing their product the patches cannot be
>> "private" anymore, GPL forbids this, and it's the most frequently used
>> license.
>They are private until CRD. And thats the point. That xvendor
>can become something like a 2nd level cache of vendor-sec.
Yeah, but you would use vendor-sec for that. I think it's quite
intentional that xvendor has no mention of "security" in it (unlike
oss-security, for instance).
As was previously stated, this is a cross-vendor discussion list for
things that affect all distros; Solar used a glibc bug as an example
before. Not necessarily security-related, but affects most of us.
I think xvendor is less related to vendor-sec than oss-security would
be. It might be prudent to look at this way:
- vendor-sec: top level security-only private list (embargoed and
non-public stuff would go here)
- oss-security: mid-level security-only semi-public list (public
discussion on security issues goes here)
- xvendor: bottom-level non-security public list (public discussion on
cross-vendor non-security issues goes here)
I feel bad describing xvendor as a "bottom-level" list, but if you look
at in terms of security (which you're obviously doing) then I think it's
an apt description. xvendor should not be considered security-related
at all and, I think, security topics would largely be off-topic on this
list (that's what oss-security is for).
--
Vincent Danen @ http://linsec.ca/
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the xvendor mailing list charter.