Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 4 Apr 2008 23:12:33 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: Re: "who shouldn't be on-list"

* [2008-04-04 13:46:11 -0800] Jonathan Smith wrote:

> security curmudgeon wrote:
> | As a new subscriber who did not see specific mention of the desired list
> | population, could you clarify who you feel the list is for, or who should
> | not be on it?
>
> As I see it, the list is for members of the open-source community. Thus,
> to be admitted to the list, you either have to demonstrate that you're a
> developer of a (at least marginally notable) open source project, that
> you're a vendor who redistributes oss, or that you're a security
> researcher who audits or otherwise interacts with oss.
>
> This is, of course, only my opinion and may not reflect the rest of the
> group's ideas.

I think this is a good definition.

Bottom-line would be that this isn't a list for end-users.  End-users or
sysadmins, whatever, could be read-only subscribers... heck, that's no
different than reading web archives.

But to be a "member" of the list, with posting priveleges, I think you
need to be someone who can demonstrate an active role with some OSS --
this does not mean you need to be on a vendor security team, or the
apache/samba/whatever security contact.  You could be a grunt developer
who has an interest in security-related stuff (perhaps good programming
techniques, etc.) and as long as you're a member or developer of some
OSS with a reasonable exposure, then I think you can have a voice on the
list if you like.

Honestly, I think a lot of people will be lurkers... so for them they
never need to progress beyond read-only subscriber.  It's the people who
are interested in security (be it re-active or pro-active) that will
want to be "members" of the list.

Now, having said that, I think the ml subscription can be a lot more
open than wiki editing rights (which is a whole different ball of wax).

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ