Date: Wed, 1 Jun 2011 21:51:34 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com, secalert_us@...cle.com Subject: Re: Closed list Hi Chandan and all, I've just subscribed Chandan to the Linux distros list (for Oracle Linux), although as a community member I have reservations about that. I was hoping to see more comments from others in the community. I've included some comments of my own below: On Tue, May 17, 2011 at 10:43:10AM -0700, Oracle Security Alerts wrote: > If we know about vulnerabilities in advance, our fixing process > starts before Red Hat releases their updates. It starts with > assessment of issue, reviewing the fix for completeness and > applicability to our kernel and components we maintain or provide in > our Linux distribution. See > http://www.oracle.com/us/technologies/linux/026042.htm > or http://oss.oracle.com/ This makes sense. Unfortunately, since Chandan is not on Oracle's Linux team and since Oracle Linux includes pretty much "everything" that Linux distros do, my concern is that Chandan will need to forward almost every message to others at Oracle. While this would be very helpful for occasional messages (forward relevant messages only and to the right people only), if done for almost every message it feels like it'd be better to have some Oracle Linux folks subscribed directly, like we do for other distros. But apparently the Oracle Linux folks don't really care - at least this is the impression I got from this discussion thread so far, and I'd be happy to be proven wrong. Sure, it is possible to read oss-security other than by being subscribed to the mailing list, and sure it is possible to receive forwards from Chandan internally, but to me this does show lack of interest. Again, I'd be happy to be convinced that this is not the case - such as by Oracle's active participation on the new list and on oss-security, discussing Linux specific issues (beyond and besides list membership). > We have a large user base to protect. We do get reports of > vulnerabilities in our Linux distribution which we may want to fix > in collaboration with rest of the community. I'd be happy to see this happen. For low severity issues, please post to oss-security right away. > > Oracle was never actually accepted to vendor-sec for Oracle Enterprise Linux. > > Not correct. From archives of vendor-sec I see there had been at > least two representatives from Oracle Linux at vendor-sec and we had > membership ever since Oracle started distributing Linux. > > This discussion was held whenever they requested to subscribe to > vendor-sec and it was concluded that while we may be redistributing > some packages, Oracle Linux is a distro in its own right. This is semi-consistent with what Tomas Hoger wrote: "IIRC, Oracle was subscribed to v-s more than once - the "Sun" exploder that was subscribed for quite a while (originally as Solaris vendor probably), and individual OEL representative, added around the time Oracle was in the process of acquiring Sun and there was no single security contact for all products yet." However, I don't see anyone from Oracle on what was given to me as the final vendor-sec members list. There's Sun's exploder, but no Oracle, nor any Oracle person. I recall that Joel Becker of Oracle had briefly contributed both to vendor-sec and to oss-security discussions (thanks!), e.g. here: http://www.openwall.com/lists/oss-security/2010/09/30/2 I don't recall if Joel was on vendor-sec (perhaps he was subscribed for a while, then he asked to unsubscribe? just a guess), but I don't see him on the final members list, and he has since unsubscribed from oss-security (which may or may not indicate anything). It would make more sense to me to subscribe Joel for Oracle Linux (unless he's in fact not involved in that anymore, which I have no idea of), and Chandan for Solaris and other ex-Sun products (to a proper list, once/if one is set up). Arguably, it's none of my business to suggest a distro vendor who to subscribe, and as list admin I accept Oracle's decision for Chandan to represent Oracle Linux. I am just saying that as a community member I would be more convinced of Oracle's interest in and ability to handle advance notifications of security issues in Oracle Linux specifically if a Linux person were being subscribed to that list (and participated on oss-security as well, like Joel briefly did). > > Then, the only @oracle.com person currently on oss-security (judging by > > the e-mail addresses) appears not to be involved with Oracle Enterprise > > Linux specifically. > > There are other ways to subscribe to this list than email. See: > http://oss-security.openwall.org/wiki/mailing-lists/oss-security Sure. > > Can you please add your info to the following wiki pages? > > http://oss-security.openwall.org/wiki/vendors > > Done, Thank you! If you can, please also add a section to: http://oss-security.openwall.org/wiki/distro-patches which would help other distros find your source code patches for possible reuse. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ