Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Apr 2014 04:11:51 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Request for linux-distros list membership

Anthony, Roland, all -

I've subscribed Anthony to linux-distros today, for Amazon Linux AMI.

Let me use this opportunity to remind the people already on
linux-distros and distros lists that I'd appreciate their help in
ensuring that list policies are met.  While I help host these lists, I
never volunteered to be the (only) policeman. ;-)  I posted three
messages to distros today (right after subscribing Anthony) requesting
that coordinated disclosure dates on specific issues be clarified and
kept within the maximum of 14 to 19 days (depending on day of week) as
stated here:

http://oss-security.openwall.org/wiki/mailing-lists/distros

In fact, way shorter than the maximum embargo periods are preferred (and
are often used), which is also stated on that wiki page.

So, can someone already on linux-distros and distros please volunteer to
keep track of all issues being brought to these lists (yes, all issues -
including those that don't affect your distro) and ensure that each one
of them promptly gets assigned at least a tentative public disclosure
date, that such date is within list policy, that the issue is in fact
publicly disclosed on that date, and that the disclosure includes a
mandatory posting specifically to oss-security (as well as to anywhere
else the disclosing person likes to post)?  If any of these requirements
are violated (or are about to be violated), please yell on the (private)
list (CC'ing the external reporter of the issue, if applicable) until
the violation ceases.  Any volunteer(s)?

Anthony, can it be you?  I deliberately didn't ask you before
subscribing you, because volunteering for this job is in no way a
precondition for list membership, but it would happen to be an extra
justification. ;-)

On Fri, Apr 18, 2014 at 05:32:48PM +0200, rf@...eap.de wrote:
> Just a remark from somebody who's request for linux-distros membership
> was turned down: I think in case the AMI membership will be granted, you
> need to provide a clear explanation why Qlustar's wasn't. Better: Setup
> some clear criteria for when membership is possible and when not.

I am hosting these lists at Openwall for benefit of the oss-security
community, so decisions are made based on opinions expressed in here,
with the exception that I won't do things I find obviously wrong
(someone else would need to volunteer to host the lists if my personal
opinion would ever be incompatible with what would appear to be the
community's sentiment).

Based on the discussions so far, I don't have a strong "obviously wrong"
feeling towards any of the four possibilities for AMI's and Qlustar's
(non-)subscription, although I do feel there's a significantly stronger
case for subscribing AMI and a fairly strong case for _not_ subscribing
Qlustar, so it'd be weird to subscribe Qlustar and not subscribe AMI.

Here are some reasons in favor of subscribing AMI, which are not present
for Qlustar, in arbitrary order:

- AMI appears to have a use for advance notifications for components of
the entire distro, not just Linux kernel.

- Some community support for getting AMI onto the list.

- Some community support for getting the specific Amazon person on the
list as the representative for AMI.

- The person's track record of contributing to upstream Open Source
software and in security relevant areas (QEMU development).

- No opposition to subscribing Amazon Linux AMI.  For Qlustar, there was
not exactly opposition, but no one was convinced that Qlustar should be
subscribed when I specifically asked:

http://www.openwall.com/lists/oss-security/2014/01/23/6

- Amazon Linux AMI having a significant userbase, which is unclear for
Qlustar yet.  When the first request to subscribe Qlustar was made, IIRC
my Google web search for it found surprisingly few results (like 20),
and even fewer not on Qlustar's own sites.  This has improved since: a
Google web search for "Qlustar" (in quotes) gives "About 2,060 results"
results now, although there's relatively little vendor-independent
content (postings other than by or forwarded from Roland, etc.)  Hitting
"Next" exhausts the actual distinct search results on page 6, saying "In
order to show you the most relevant results, we have omitted some
entries very similar to the 57 already displayed."  About the best
potentially independent comments on Qlustar I found now are these two:

http://www.microway.com/hpc-tech-tips/sc13-highlights/

"Qlustar

There are a lot of choices out there to consider when selecting software
for your cluster. The product Qlustar will likely be of great interest
to those who prefer a Debian/Ubuntu-based approach. Its special because
building up an HPC cluster from these distributions usually requires
additional effort. Qlustar is also unique in its built-in support for
ZFS, LUSTRE (on top of ZFS) and HA."

and:

http://ubuntuhpc.wikia.com/wiki/HPC_Linux_Cluster_with_Ubuntu_Wiki

"If you want to have serious HPC clustering software for Debian/Ubuntu
look at Qlustar"

Oh, the second one was a wiki edit from an IP address that resolves back
to ns2.q-leap.de, so clearly not independent.  So at most one maybe
independent comment on Qlustar I could find.  Does it not have 2+ users
who would say anything on the web?  It certainly appears so from the few
minutes I spent web searching.  (And Microway's is based on conference
attendance, so probably not from a user.)

And no, I don't mean to encourage creating a fake web presence.
I actually appreciate Roland's sincerity in this matter very much.
I understand it takes effort and time to gain adoption for a new distro.
It's just that maybe it's not time for Qlustar to increase the risk
exposure for others, for the benefit of extremely few users.

BTW, contrary to what some people guess (I heard them say so), there was
essentially no userbase size filter on the old vendor-sec.  This is a
new thing I am suggesting here.  I would probably not suggest it if I
saw a normal, small userbase distro.  But a distro where I can't find
any userbase at all?  Hmm.  I do think Roland is acting in good faith,
and the distro is indeed real, but let's not forget that if we start
accepting zero-userbase distros, someone might be tempted to create a
fake distro just for this purpose.

I think as a minimum we should require that someone who has already made
contributions to this community has vouched for the new distro and for
the specific person.  If not, we should not satisfy the request.
Anything less just invites abuse attempts.  We should also require at
least some visible userbase.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.