Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Mar 2012 06:53:04 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: running the distros lists

I got a couple of off-list requests to clarify what kind of help is
needed.  I'll do so below:

On Tue, Mar 13, 2012 at 01:38:07AM +0400, Solar Designer wrote:
> I could use some help running the distros list and its linux-distros
> sub-list.  Specifically, when issues are being brought to these lists,
> the initial messages very often lack a proposed coordinated release date
> (CRD).  Currently there's no specific person (nor a group smaller than
> the entire membership of the list) who would be responsible for getting
> a CRD agreed upon ASAP, yet this is something that needs to happen for
> each and every issue.  When everyone is responsible for this, it also
> means that no one in particular is responsible.  This needs to change.

What I'd like to be happening is for some list member(s) (not too many
of them) to be proposing a CRD for each reported issue on the day it is
reported.  Then those member(s) need to stay on top of all open issues
and ensure the CRDs are met (if necessary, adjusting the CRDs as long as
the list's limit permits).  Quite often, this will involve negotiations
with other list members, with the reporter, with upstream(s), and with
various other parties (such as related projects and distros who are not
on the list).  Yes, this does sound CERT'ish. ;-)

> Could one or several distros and/or linux-distros list members please
> accept this responsibility?  I can't seem to allocate enough of my own
> time to this job, sorry.  (I am already putting some of my time into
> other aspects of running these lists, as you're aware.)  Additionally, I
> think that some other list members are better qualified for it because
> more of the issues affect their products.
> 
> I think Kurt, Vincent, and/or Jan (the Red Hat folks) could do this job
> well, especially considering that they're currently the ones to assign
> CVE IDs anyway (so could as well assign IDs and propose CRDs in the same
> message), but anyone else is welcome to volunteer for this thankless job
> as well.

Not exactly anyone else, but anyone who is currently on the distros list.

> Please let us all know.
> 
> Thanks,
> 
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.