Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 04 Apr 2008 20:27:31 -0400
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

> 
> Andrea - it appears that the oCERT announcement should be separate, then.
> Please go ahead with it, and feel free to mention oss-security in passing
> as a group that oCERT intends to work with, as Vincent suggested.  I'm
> not sure if it's appropriate to include a link to the oss-security wiki;
> I would do it, but Vincent suggested that we make "the intelligent" use
> Google instead (and not invite the rest to our wiki just yet).

Yes, I think that's best.  No sense in adding a link to a project nobody
really knows about (which is by design).

> 
> OK, can we please start figuring this out, then?  Once there's consensus
> or an obviously prevailing opinion in this group, Openwall is going to
> re-configure the list as it will be agreed upon, and everyone can edit
> the wiki to reflect that.  Then we'll be ready for a "big announcement",
> right?  Or do we want to work on the wiki content more first?  Or maybe
> tighten up the wiki settings?

I'd like to see us work on the wiki content a bit more.  Perhaps a todo
page where we can list new content needed, and point at content that needs
some help.  Is there an easy way we can create an index of content that has
the FIXME wiki tag?

> 
> Let's just not leave things undefined and non-announced forever.  If
> oss-security is successful, and it appears that it is, it will become
> known anyway - but possibly with more confusion around it if we don't
> announce it ourselves.

I don't think anyone wants this, but just as never making ourselves known
is bad, a premature announcement isn't much good either.  I think we're
close, but not quite there yet.  We do however need to be mindful of the
old quote "perfect is the enemy of the good".

> > 
> > Yep. But, I still think we should allow read-only memberships without
> > moderation. Having to read oss-security through rss or a web interface
> > would be frustrating.
> 
> I agree with Jonathan on this.
> 
> As to whether to enable message pre-moderation for list members before
> the announcement or only when we really have to, I am not sure.  I'll
> let others decide.
> 

I think the way to go for this is going to be let the current members post
without moderation, and once there is an announcement, moderate new
members, with the option to remove the moderation flag is they prove to be
helpful.  A semi moderated list is going to be the way to go I suspect.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.