Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 6 Apr 2011 17:53:50 -0400
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

akuster wrote:

> 
> 
> On 04/06/2011 06:57 AM, Solar Designer wrote:
> > On Wed, Apr 06, 2011 at 06:26:01AM -1000, akuster wrote:
> >> Please subscribe me to the new list. I was a vendor-sec subscriber for
> >> MontaVista Software.
> >>
> >> pub  4096R/AEB9ED8D 2011-04-06 [expires: 2016-4-4]
> >> uid Armin Kuster <akuster@...sta.com>
> >> Fingerprint D51D 9911 B1C7 F763 9F82 F19F 7F75 7295 AEB9 ED8D
> > 
> > Looks like you forgot to make this public key available.  Please provide
> > it to me and I'll subscribe you.
> 
> I hit one server, guess I need to hit them all. Please try again with
> same key.
> 
> > 
> > While we're at it, the MontaVista Software entry at:
> > 
> > http://oss-security.openwall.org/wiki/vendors#montavista-software-llc
> > 
> > says: "The process for distribution of security advisories is currently
> > under discussion."  Perhaps this has already been discussed and decided
> > upon?  If so, please update the wiki page with specific link(s) to your
> > security advisories, updates, relevant mailing list archive - or
> > whatever you have.  
> 
> Our advisories are via a paid subscription service so they are not public.
> 
> Without this info, it is unclear whether you would
> > be making timely intended use of the advance notifications or not.
> 
> Our customers require vulnerabilities to be addressed in a timely manner.
> 
> will revisit the wiki issue soon.

I'm not if sure anything has come of this request, but I hope closed
vendors like this get rejected. Non-public advisories are anathema to
the open source philosophy.  You have to ask the question: what is the
point of their participation in an oss list if they don't intend to
disclose anything?

Best wishes,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.