Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 Mar 2011 17:58:19 -0800
From: Greg KH <greg@...ah.com>
To: Dan Rosenberg <dan.j.rosenberg@...il.com>
Cc: oss-security@...ts.openwall.com, Kees Cook <kees@...ntu.com>
Subject: Re: Vendor-sec hosting and future of closed lists

First off, we are way off-topic from the original topic here, very sorry
about that.

On Thu, Mar 03, 2011 at 08:08:23PM -0500, Dan Rosenberg wrote:
> > I actually use that traffic to watch out for things that need to make
> > sure they go into the stable releases.  Those patches are then posted to
> > stable@...nel.org when they are public, so you can watch that list if
> > you want.
> >
> 
> The difference is that distributions and the security community do not
> have access to the security@...nel.org list.

That is the point of security@ list.  Many people on this very list
asked for this type of alias years ago, so don't go and say that now you
don't want it :)

> The goal here to is
> bridge that communication gap - perhaps what's really needed is
> allowing more representation on the existing list and clarifying and
> encouraging policies for when CC'ing security@...nel.org is
> appropriate, especially in regards to on-the-fence issues.  If
> everyone were a bit more conscientious about e-mailing
> security@...nel.org when appropriate and that list had better
> representation from people who can actually coordinate with various
> downstream vendors, that would be an improvement.

That is what stable@ can be used for, please feel free to do that there
today.

> >> >> I think security communication needs to be
> >> >> improved at the commit level (as opposed to the reporting), since
> >> >> maintainers are often much more knowledgeable and better able to
> >> >> understand security impact than the users who are often presenting
> >> >> issues.
> >> >
> >> > I don't think you understand the rate of change in the kernel and how
> >> > trying to do this for every commit is unfeasable and unworkable.  You do
> >> > know how fast it goes, right?
> >> >
> >>
> >> Why is CC'ing a security list any more difficult than CC'ing stable?
> >
> > It's not, but if all you want to do is make sure the patch is applied to
> > the stable trees as you think it's a potential problem, just copy stable
> > instead.  That's what happens today.
> >
> 
> It's more about giving distributions the option of prioritizing
> security patches, and being more transparent about the potential risk
> introduced by certain issues.  As you've said, even picking security
> fixes out of the stable queue is a substantial amount of work, and
> this could be made easier with a bit more openness.

How can we be more open than we are today by showing you _all_ of the
patches that we are deeming as "fixes"?

You want people to somehow magically categorize patches, and that's not
going to happen because it's complicated and usually not known until
after the fact.  Way after the fact.

So again, take a look at stable@...nel.org, it shows you all of these
patches and you can start classifying them if you wish to.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.