oss-security - Re: Closed list

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 02 May 2011 07:53:10 -1000
From: akuster <akuster@...sta.com>
To: oss-security@...ts.openwall.com
CC: Solar Designer <solar@...nwall.com>
Subject: Re: Closed list

Alexander,

Thanks for the clarification.

- Armin

On 05/02/2011 07:22 AM, Solar Designer wrote:
> On Mon, May 02, 2011 at 07:03:55AM -1000, akuster wrote:
>> On 05/02/2011 06:12 AM, Solar Designer wrote:
>>> On Mon, May 02, 2011 at 04:56:30AM -1000, akuster wrote:
>>>> Can you clarify what is meant by updates?
>>>
>>> RHEL-like .src.rpm's or equivalent will do.  Something else might do.
>>
>> Ok.. but do they need to be publicly available ( ie no service or
>> maintenance contract to get)?
> 
> Per the discussion so far, yes, or you would likely be in another
> category from the "open" Linux distro vendors.  I don't know what others
> in here would say if you, for example, only make advisories public, but
> not any code.  Maybe this will do (that is, folks would not oppose you
> being on the same list with the "open" vendors), maybe not.  A better
> option could be for you to make advisories and package metainfo public
> (file lists, change logs, etc.), but not the packages themselves.
> I similarly don't know how that would be received by others in here.
> On one hand, it would show that you're preparing security updates, for
> what software, and when.  On the other, the level of openness would
> still be less than Red Hat's.
> 
> Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.