Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 03 Jun 2008 11:46:30 -0800
From: Jonathan Smith <smithj@...ethemallocs.com>
To: oss-security@...ts.openwall.com
Subject: Re: tool announcements

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Solar Designer wrote:
| Also, I am not on full-disclosure -
| should this prevent me from being a moderator for oss-security, or do I
| have to subscribe to full-disclosure?

I don't think so, no. I actually gave up on FD recently as well, given
the ever-decreasing signal-to-noise ratio.

I should clarify; I don't actually mind cross-posting, so long as the
content is appropriate on all the lists posted to. I just don't,
personally, believe announcements should be on-topic on oss-security.

| Maybe.  However, many topics are valid on Bugtraq - not only Open Source
| ones.  I imagine that someone could be interested in security tool
| announcements relevant to Open Source software only.  Also, Bugtraq is
| so large that few of us would dare to bother its readers with
| announcements of new versions of a tool, even fairly major ones.

Maybe part of the problem is that I'm not that interested in new tools.
The ones I currently have work well enough, and I can only spend so much
effort learning new stuff, and there are more interesting new stuff to
learn :)

| Maybe we need to setup a new oss-sectools list, but I'd rather not go
| for it until we start to receive a substantial number of security tool
| announcements in here.

Sounds good.

| As to "sparking discussion", it is impossible to know that in advance.
| Yes, you wrote "designed to ..." - does ending a post with "comments,
| please?" qualify?  If so, that could be used on any announcement - even
| on a mostly-PR one.

Eh. I'd still lean "no" here. It doesn't seem very likely that "new
version of $my_package released with shiny new stuff" is going to
generate useful discussion. If, on the other hand, the author of the
tool emails the list asking for comments on a new method of
vulnerability scanning or similar, which may have been recently added to
his/her toolkit, that seems quite germane.

| Also, what about those CVE requests - is a single response, assigning
| the CVE number, "discussion"?  OK, in some cases people actually have
| comments.

Good point. CVE assignments to oss software clearly belong on-list since
they help us all by not duplicating work, even if they aren't strictly
discussion.

| Of the existing lists, Bugtraq is probably the place for PR.

Agreed.

| However, some tools could be of specific relevance to oss-security
| members - e.g., source code analysis tools and fuzzers.  Do you agree?

Sure.

| Is a moderator supposed to decide whether or not this is the case?

Well, I'm not sure. Not being a moderator, I don't know how much work it
really is. *If* it is a relatively low workload, I think weeding out the
not-as-relevant announces would be very valuable.

|> So, was this message, and "SQL_injection detection tool released" held
|> for moderation?
|
| Yes, they were.

Good to know.

| I don't regret approving these messages - I think that we're having
| useful discussion as a result, and I think that it was important for
| this group's members to be aware of what was coming to the list (except
| for spam).  Let's say that these two messages are "samples" of content
| that we might or might not want in here.
|
| My opinion is that moderators are not supposed to define the list's
| policy on their own - and we did not (and still do not) have this bit of
| policy fully defined.  So let's try to take care of that now, or I would
| not know what to do if more messages like these two arrive to the list.

Agreed. I wasn't intending to pass judgment on the moderators, just
wondering.

For now, I'll concede that there isn't enough traffic to justify forming
a new list. Consequently, I suppose I'm in favor of keeping them
on-list. When/if the announcement traffic level changes, perhaps we
should revisit.

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkhFn5UACgkQCG91qXPaRen2WQCeJRbmeWlU3ejUH/yDIPU9Wc2Z
fUEAnjEj0IqoXLSmBLXsCMePoG+H3ea1
=4j4N
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.