Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 4 Apr 2008 15:39:38 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: Jonathan Smith <smithj@...ethemallocs.com>
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

* [2008-04-04 12:08:07 -0800] Jonathan Smith wrote:

> |> I'm not comfortable with the current timeline for this.  One day is not
> |> enough time to draft a proper announcement.
> |>
> |> Again though, this question belongs on the list, not here.
> |
> | [snip]
> |
> | I don't have a problem with it being announced at the same time, but I
> | do think that one day is pretty short notice to draft a decent
> | announcement (i.e. something that won't result in a "why do we need
> | another ml like fd or bugtraq" barrage of postings), because we need to
> | figure out the best way to do this so we don't get people like "n3td3v"
> | coming to the list.
>
> I've got to agree with Vincent here. We didn't have much heads-up about
> this. Having folks on-list who shouldn't be was my main concern with
> oss-security to begin with, and posting the list to the masses (at this
> point in time) isn't going to make that easier.
>
> That being said, we need to figure that out before oss-security can be
> useful to a broader range of people and projects.

I'm ok with un-moderated read-only access.  I think that's a fine idea.
I do think, to keep the signal-to-noise-ratio (not to mention the BS
that plagues other lists like FD) down.

> |> I'm also quite happy with the rather slow growth we're currently
> |> seeing on
> |> the mailing list.  We need a solid base before we can handle what will be
> |> explosive list growth from a big public announcement.
> |
> | I think we should activate membership moderation before we make a big
> | public announcement for exactly this reason.  Which is why we need more
> | than one day... this needs to be discussed amongst members and needs to
> | be noted in the announcement (to keep the idiots from trying to
> | subscribe and then us having to punt a bunch of them after the fact).
>
> Yep. But, I still think we should allow read-only memberships without
> moderation. Having to read oss-security through rss or a web interface
> would be frustrating.

I have no problem with this, and I think ezmlm should be able to do this
easily enough.  Solar, correct me if I'm wrong.

> |> Additionally, this discussion belongs on the oss-security list, not
> |> between
> |> the current CC list.  It's a public group run by the members.
> |
> | This I do agree with.
>
> Indeed. I'm CCing oss-security with this email.

Good idea.

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux