Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Jun 2011 21:51:34 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com, secalert_us@...cle.com
Subject: Re: Closed list

Hi Chandan and all,

I've just subscribed Chandan to the Linux distros list (for Oracle
Linux), although as a community member I have reservations about that.
I was hoping to see more comments from others in the community.

I've included some comments of my own below:

On Tue, May 17, 2011 at 10:43:10AM -0700, Oracle Security Alerts wrote:
> If we know about vulnerabilities in advance, our fixing process
> starts before Red Hat releases their updates. It starts with
> assessment of issue, reviewing the fix for completeness and
> applicability to our kernel and components we maintain or provide in
> our Linux distribution. See
> http://www.oracle.com/us/technologies/linux/026042.htm
> or http://oss.oracle.com/

This makes sense.

Unfortunately, since Chandan is not on Oracle's Linux team and since
Oracle Linux includes pretty much "everything" that Linux distros do, my
concern is that Chandan will need to forward almost every message to
others at Oracle.  While this would be very helpful for occasional
messages (forward relevant messages only and to the right people only),
if done for almost every message it feels like it'd be better to have
some Oracle Linux folks subscribed directly, like we do for other distros.

But apparently the Oracle Linux folks don't really care - at least this
is the impression I got from this discussion thread so far, and I'd be
happy to be proven wrong.  Sure, it is possible to read oss-security
other than by being subscribed to the mailing list, and sure it is
possible to receive forwards from Chandan internally, but to me this
does show lack of interest.  Again, I'd be happy to be convinced that
this is not the case - such as by Oracle's active participation on the
new list and on oss-security, discussing Linux specific issues (beyond
and besides list membership).

> We have a large user base to protect. We do get reports of
> vulnerabilities in our Linux distribution which we may want to fix
> in collaboration with rest of the community.

I'd be happy to see this happen.  For low severity issues, please post
to oss-security right away.

> > Oracle was never actually accepted to vendor-sec for Oracle Enterprise Linux.
> 
> Not correct. From archives of vendor-sec I see there had been at
> least two representatives from Oracle Linux at vendor-sec and we had
> membership ever since Oracle started distributing Linux.
> 
> This discussion was held whenever they requested to subscribe to
> vendor-sec and it was concluded that while we may be redistributing
> some packages, Oracle Linux is a distro in its own right.

This is semi-consistent with what Tomas Hoger wrote:

"IIRC, Oracle was subscribed to v-s more than once - the "Sun" exploder
that was subscribed for quite a while (originally as Solaris vendor
probably), and individual OEL representative, added around the time
Oracle was in the process of acquiring Sun and there was no single
security contact for all products yet."

However, I don't see anyone from Oracle on what was given to me as the
final vendor-sec members list.  There's Sun's exploder, but no Oracle,
nor any Oracle person.

I recall that Joel Becker of Oracle had briefly contributed both to
vendor-sec and to oss-security discussions (thanks!), e.g. here:

http://www.openwall.com/lists/oss-security/2010/09/30/2

I don't recall if Joel was on vendor-sec (perhaps he was subscribed for
a while, then he asked to unsubscribe? just a guess), but I don't see
him on the final members list, and he has since unsubscribed from
oss-security (which may or may not indicate anything).

It would make more sense to me to subscribe Joel for Oracle Linux
(unless he's in fact not involved in that anymore, which I have no idea
of), and Chandan for Solaris and other ex-Sun products (to a proper
list, once/if one is set up).

Arguably, it's none of my business to suggest a distro vendor who to
subscribe, and as list admin I accept Oracle's decision for Chandan to
represent Oracle Linux.  I am just saying that as a community member I
would be more convinced of Oracle's interest in and ability to handle
advance notifications of security issues in Oracle Linux specifically if
a Linux person were being subscribed to that list (and participated on
oss-security as well, like Joel briefly did).

> > Then, the only @oracle.com person currently on oss-security (judging by
> > the e-mail addresses) appears not to be involved with Oracle Enterprise
> > Linux specifically.
> 
> There are other ways to subscribe to this list than email. See:
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Sure.

> > Can you please add your info to the following wiki pages?
> > http://oss-security.openwall.org/wiki/vendors
> 
> Done,

Thank you!

If you can, please also add a section to:

http://oss-security.openwall.org/wiki/distro-patches

which would help other distros find your source code patches for
possible reuse.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ