Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 04 Apr 2008 12:08:07 -0800
From: Jonathan Smith <smithj@...ethemallocs.com>
To: Vincent Danen <vdanen@...sec.ca>
CC: Josh Bressers <bressers@...hat.com>, 
 Solar Designer <solar@...nwall.com>,
 Andrea Barisani <andrea@...ersepath.com>, 
 oss-security@...ts.openwall.com
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vincent Danen wrote:
| * [2008-04-04 15:35:53 -0400] Josh Bressers wrote:
|>> Andrea Barisani wrote:
|>> >
|>> > Do you think you could make that announcement soon? Press is
|>> already covering
|>> > oCERT, so it makes little sense delaying f-d + bugtraq that much,
|>> if you
|>> > think it's going to be delayed by days then maybe we can announce
|>> separate.
|>>
|>> I think that it's best to not delay our joint announcement.
|>>
|>> Josh, Vincent, Jonathan - what do you think?
|>>
|>
|> I'm not comfortable with the current timeline for this.  One day is not
|> enough time to draft a proper announcement.
|>
|> Again though, this question belongs on the list, not here.
|
| [snip]
|
| I don't have a problem with it being announced at the same time, but I
| do think that one day is pretty short notice to draft a decent
| announcement (i.e. something that won't result in a "why do we need
| another ml like fd or bugtraq" barrage of postings), because we need to
| figure out the best way to do this so we don't get people like "n3td3v"
| coming to the list.

I've got to agree with Vincent here. We didn't have much heads-up about
this. Having folks on-list who shouldn't be was my main concern with
oss-security to begin with, and posting the list to the masses (at this
point in time) isn't going to make that easier.

That being said, we need to figure that out before oss-security can be
useful to a broader range of people and projects.

|> I'm also quite happy with the rather slow growth we're currently
|> seeing on
|> the mailing list.  We need a solid base before we can handle what will be
|> explosive list growth from a big public announcement.
|
| I think we should activate membership moderation before we make a big
| public announcement for exactly this reason.  Which is why we need more
| than one day... this needs to be discussed amongst members and needs to
| be noted in the announcement (to keep the idiots from trying to
| subscribe and then us having to punt a bunch of them after the fact).

Yep. But, I still think we should allow read-only memberships without
moderation. Having to read oss-security through rss or a web interface
would be frustrating.

|> Additionally, this discussion belongs on the oss-security list, not
|> between
|> the current CC list.  It's a public group run by the members.
|
| This I do agree with.

Indeed. I'm CCing oss-security with this email.

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkf2iqYACgkQCG91qXPaRembWQCgqOLVlp621ycKIApI5t9CSLPT
43EAoKaXEQuQvtVb0LCc1T6fzPSe6CT5
=CYpo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.