Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Mar 2010 10:24:45 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CFPs and con invitations on the list

----- "Solar Designer" <solar@...nwall.com> wrote:
> Hi Josh,
> 
> Thank you for speaking up.
> 
> On Mon, Mar 15, 2010 at 09:52:22AM -0400, Josh Bressers wrote:
> > ----- "Solar Designer" <solar@...nwall.com> wrote:
> > > 
> > > That said, I won't be approving any further "multi-conference" stuff,
> > > but I've just approved a HITB announcement...  BTW, Hafez Kamal has
> > > been a subscriber to oss-security for a while.
> > 
> > I agree with this decision. I don't see such announcements adding any
> > value here, and probably just increase the noise level.
> 
> I find the above confusing.  First you say that you agree with my
> decision to be selective about the announcements (reject some, approve
> some others), then you state that "such announcements" (all of them?)
> don't add any value in your opinion.  Please clarify.

Sorry, I misread your comment. I was under the impression you were
suggesting after this point, we don't approve any more conference postings.

> 
> > Unless someone has a compelling argument FOR letting these though,
> 
> So far, I only got a few "I don't mind to receive these" responses
> (off-list).  I don't think these count as "compelling arguments", yet I
> am also not very comfortable about rejecting messages that some people
> are sending and others don't mind receiving.

If folks don't mind getting these, and there aren't too many, I won't
complain.

> 
> > I think this is an acceptable policy.
> 
> Please define the policy first.

This is from when I was under the impression it's "no more conference
announcements".

> 
> I think that it's not great to just do nothing about these postings -
> neither approve nor reject them, letting them get bounced to the senders
> with an automated message stating that "the list moderators for the
> oss-security list have failed to act on your post."  It is best to either
> approve or explicitly reject messages, providing an explanation to the
> sender.

I'll keep this in mind. Historically I just ignore moderation requests I
feel don't belong (although I also have been very busy lately and not
paying attention to the moderation queue, this is mostly over now, so I'll
keep an eye on things).

> 
> As you have noticed, I've approved two additional HITB postings recently
> - one about the videos (somewhat valuable), the other a correction (of
> little value).  I think the videos posting was in fact desirable, and it
> felt illogical to reject these after having approved the Agenda posting.

That seemed reasonable to me.

> 
> Now we have the following in the moderation queue:
> 
> Date: Thu, 25 Mar 2010 00:13:06 +0100
> From: Jonathan Brossard <endrazine@...il.com>
> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
>  darklab@...ts.darklab.org, droit-net@....fr,
>  focus-apple@...urityfocus.com, focus-linux@...urityfocus.com,
>  focus-ids@...urityfocus.com, framework@...ol.metasploit.com,
>  misc@...nbsd-france.org, oss-security@...ts.openwall.com,
>  owasp-all@...ts.owasp.org, tmplab@...ts.tmplab.org,
>  webappsec@...urityfocus.com, websecurity@...appsec.org,
>  Organization team for Hackito Ergo Sum 2010
> <hes2010-orga@...ts.hackitoergosum.org>,
>  Hackito Ergo Sum 2010 - Call For Paper address
> <hes2010-cfp@...ts.hackitoergosum.org>
> Subject: Hackito Ergo Sum Conference (Paris 8-10 April 2010) :
> Schedule
> 
> Some of the talk topics they're announcing are quite curious and
> relevant, in my opinion.  Jonathan Brossard has been on the oss-security
> list for some months.

I think those headers bring up a good point. This is comparable to the old
days of cross posting to lots of gropus on usenet (for you young folks, it
was frowned upon). Perhaps we encourage messages DIRECTED at oss-security,
rather than shotgun announcements.

> 
> I guess you don't want this approved - at least, you're not doing that.
> If so, I'd appreciate it if you help us define a policy and explicitly
> reject this posting according to that.  Or should we approve it?  Or do
> you want us to not get distracted to this topic, continuing to ignore it
> (as being of little relevance to the purpose of oss-security)?
> 

I think given our current lack of policy, we should probably approve such
messages, as I don't want to make the content based on if I'm grumpy or
annoyed at someone on a given day :)

So this list has a defined audience, the security minded citizens of Open
Source. I could see a couple possible announcement policies (not just for
conferences, this could apply for lots of stuff)

1) Approve them all. (we already have full-disclosure, we don't really need
    another)
2) Approve only things obviously tailored for the list. (this is a bit
    snobbish I admit)
3) Approve only things geared at Open Source. (I sort of like this one, but
    the line is REALLY fuzzy)
4) Approve posts from list memebers who've been on the list for > 1 month.
    (I suspect this is the best solution)


Perhaps something that falls backward through that list, stopping at #2. If
a post meets any of the conditions in #2, #3, or #4, it's in.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.