Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 4 Apr 2008 22:07:18 +0000
From: Andrea Barisani <andrea@...ersepath.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

On Sat, Apr 05, 2008 at 01:08:58AM +0400, Solar Designer wrote:
> Josh, Vincent, Jonathan - thank you for commenting on this so promptly!
> 
> Andrea - it appears that the oCERT announcement should be separate, then.
> Please go ahead with it, and feel free to mention oss-security in passing
> as a group that oCERT intends to work with, as Vincent suggested.  I'm
> not sure if it's appropriate to include a link to the oss-security wiki;
> I would do it, but Vincent suggested that we make "the intelligent" use
> Google instead (and not invite the rest to our wiki just yet).
> 

Ok, but if the only issue is time I'd be happy to delay until monday,
(announcements on weekends are bad anyway). 

> > Vincent Danen wrote:
> > | I don't have a problem with it being announced at the same time, but I
> > | do think that one day is pretty short notice to draft a decent
> > | announcement (i.e. something that won't result in a "why do we need
> > | another ml like fd or bugtraq" barrage of postings),
> 
> Good point, and I am sorry for the short notice.  To me, this was
> expected, but I failed to notify the oss-security group of this
> possibility earlier.  I did not expect that the press would pick oCERT
> up before the Bugtraq & f-d announcement, though - and this is now a
> reason for not delaying the announcement anymore.
> 

Yep, didn't expect much press either, it wasn't my intention to rush things.

> 
> Let's just not leave things undefined and non-announced forever.  If
> oss-security is successful, and it appears that it is, it will become
> known anyway - but possibly with more confusion around it if we don't
> announce it ourselves.
>

I agree to this.

Cheers!

-- 
Andrea Barisani                             Inverse Path Ltd
Chief Security Engineer                     -----> <--------

<andrea@...ersepath.com>          http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ