Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 4 Apr 2008 23:06:41 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

* [2008-04-05 01:08:58 +0400] Solar Designer wrote:

>Josh, Vincent, Jonathan - thank you for commenting on this so promptly!
>
>Andrea - it appears that the oCERT announcement should be separate, then.
>Please go ahead with it, and feel free to mention oss-security in passing
>as a group that oCERT intends to work with, as Vincent suggested.  I'm
>not sure if it's appropriate to include a link to the oss-security wiki;
>I would do it, but Vincent suggested that we make "the intelligent" use
>Google instead (and not invite the rest to our wiki just yet).

I think at this point, just mentioning it should suffice until we figure
out the basics (unless Andrea waits until next week and we have a
consensus in place).

>> Vincent Danen wrote:
>> | I don't have a problem with it being announced at the same time, but I
>> | do think that one day is pretty short notice to draft a decent
>> | announcement (i.e. something that won't result in a "why do we need
>> | another ml like fd or bugtraq" barrage of postings),
>
>Good point, and I am sorry for the short notice.  To me, this was
>expected, but I failed to notify the oss-security group of this
>possibility earlier.  I did not expect that the press would pick oCERT
>up before the Bugtraq & f-d announcement, though - and this is now a
>reason for not delaying the announcement anymore.

No, not for oCERT, for sure.  But I think I'd like to see some of the
ground-rules laid out first, now, before we have to re-think or change
things later (in terms of basics), and end up ticking people off.

>> | because we need to
>> | figure out the best way to do this so we don't get people like "n3td3v"
>> | coming to the list.
>
>Maybe it's OK if they come to the list, but are unable to post - or get
>kicked out.

I think maybe a moderated subscription, and unmoderated postings (for
members, moderated non-subscriber postings mandatory) would be a good
way to do it.

>On Fri, Apr 04, 2008 at 12:08:07PM -0800, Jonathan Smith wrote:
>> I've got to agree with Vincent here. We didn't have much heads-up about
>> this. Having folks on-list who shouldn't be was my main concern with
>> oss-security to begin with, and posting the list to the masses (at this
>> point in time) isn't going to make that easier.
>> 
>> That being said, we need to figure that out before oss-security can be
>> useful to a broader range of people and projects.
>
>OK, can we please start figuring this out, then?  Once there's consensus
>or an obviously prevailing opinion in this group, Openwall is going to
>re-configure the list as it will be agreed upon, and everyone can edit
>the wiki to reflect that.  Then we'll be ready for a "big announcement",
>right?  Or do we want to work on the wiki content more first?  Or maybe
>tighten up the wiki settings?

I think the wiki content is ok... we could delay this for months just
getting the wiki content straightened out and flushed out.  I don't
think we want to do that.  Tightening up who can edit the wiki is a good
idea tho.

>Let's just not leave things undefined and non-announced forever.  If
>oss-security is successful, and it appears that it is, it will become
>known anyway - but possibly with more confusion around it if we don't
>announce it ourselves.

I agree.

>> | I think we should activate membership moderation before we make a big
>> | public announcement for exactly this reason.  Which is why we need more
>> | than one day... this needs to be discussed amongst members and needs to
>> | be noted in the announcement (to keep the idiots from trying to
>> | subscribe and then us having to punt a bunch of them after the fact).
>> 
>> Yep. But, I still think we should allow read-only memberships without
>> moderation. Having to read oss-security through rss or a web interface
>> would be frustrating.
>
>I agree with Jonathan on this.
>
>As to whether to enable message pre-moderation for list members before
>the announcement or only when we really have to, I am not sure.  I'll
>let others decide.

No, I don't think we need to moderate member postings.  I think we
should do it this way:

- members can post at will
- subscribers are read-only [1]
- non-members have posts moderated
- membership is moderated

[1] the distinction between member and subscriber is a member being
someone who can post, and a subscriber is someone who gets it read-only

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux