Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20080414154826.GA26181@openwall.com>
Date: Mon, 14 Apr 2008 19:48:26 +0400
From: Solar Designer <solar@...nwall.com>
To: xvendor@...ts.openwall.com
Subject: Re: "going public"

Hi,

I am sorry that I failed to find time to work on revitalizing the
xvendor list in February and March, beyond making the archive public on
the web and placing a news item on the Openwall website (which I did).

Instead, I dedicated whatever little "free" time I had for this towards
getting oss-security off the ground.

On Mon, Feb 18, 2008 at 08:32:49AM +0100, Sebastian Krahmer wrote:
> Some questions came in mind:

Joey and Vincent have already provided good answers (thank you!), but
I'll add some:

> 1. Whos actually on the list?

There are currently 40 subscribers, not counting robot addresses for the
list archives (local, Gmane, MARC).  Most of these people may represent
various Linux distribution vendors (10+ of them, including several major
ones), but some may also represent other projects and companies (both
Open Source and not).  I'm not sure if it's appropriate to make the list
of potentially represented projects and companies public, because people
were not granting the list admins that right as they were joining.

Let me use this opportunity to ask - does anyone (of the current list
members) have any objections regarding me publicly mentioning their
project or company (as derived from the domain name) as being
"potentially represented" on this mailing list?  If so, please let me
know (private e-mail works fine).

Also, anyone (who's currently on the list) can feel free to let me know
the specific project and company name(s) that they represent, along with
authorization to mention those next time this is brought up on the list.

> 2. Whats its exact purpose? Like vendor-sec? Discussing patches/exploits?

No.  Here's my original description of this list:

	http://www.openwall.com/lists/xvendor/2002/08/19/1

I think it still applies, except that now that we also have oss-security,
most security topics should be brought up in there instead.

So, at this time, xvendor is for discussing non-security cross-vendor
issues.  Some example topics can be seen in my original list description
(seen at the URL above), as well as in recent postings by Joey and
Vincent.

As you know, the traffic has been extremely low so far.  I expect that
it will remain fairly low even when this list is properly functioning.
Quite often, a single message will suffice to make other vendors aware
of a change (e.g., new upstream maintainer of a package), an issue,
and/or a solution (e.g., the procmail mbox truncation bug & patch or the
glibc CLK_TCK issue and recommended solution that I had posted).  We
might also have discussions in here once in a while, e.g. on licensing
or interoperability issues.

> 3. vendors are only willing to post private patches if its a closed list
>    and they know who is subscribed

I don't think we want to see any "private patches" in here.  This list
is all about sharing - between vendors and with the world at large.

> 4. If the purpose is clear it needs some announcement (to the dedicated 
>    folks) so that folks know about it and it soon drives itself.

I agree.  Do you (or anyone) have suggestions on where to announce this
list such that we attract the right folks?  Indeed, I do have some
thoughts of my own, but I am sure that other list members can contribute
theirs as well.

> 5. We should avoid a vendor-sec clone, otherwise the competition will
>    destroy both lists.

To me, xvendor is not even similar to vendor-sec in terms of appropriate
topics - I see no intersection.  Indeed, many folks will be on both
lists, as well as on oss-security, but that's just right.  It's the
topics that will differ.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.