Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Feb 2008 22:44:22 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: charter - advisories

On Tue, Feb 19, 2008 at 10:09:23AM -0700, Vincent Danen wrote:
> Yeah, I noticed this as well.  I think advisories should be kept off the
> list, for the same "signal-to-noise ratio" principal as bugtraq and FD.

For now, I've edited the charter draft as follows:

Security advisories aimed at end-users only are not welcome (e.g., those
from a distribution vendor announcing new pre-built packages).  There has
to be desirable information for others in the Open Source community
(e.g., an upstream maintainer may announce a new version of their
software with security fixes to be picked up by distributors).

If anyone can word it better, please do.

> It may be a better idea, if desired, to make a separate list that is a
> fully moderated (or possibly a reject-all with exceptions) list specific
> to carrying vendor advisories.

Yes, that was my idea too.  However, now that we mention the distinction
between two kinds of advisories (those for end-users only vs. those
useful to others as well), I am not sure which of these we want to go to
that other list.  Should we create a list for advisories that are useful
for us, then change the above guideline to "no advisories" for the main
oss-security list?  Or should we create a list for both kinds of
advisories?  In the latter case, should we ban the useful advisories
from the main oss-security list or should these be CC'ed to both lists?
Or should we create two new lists?..

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ