Date: Fri, 25 Apr 2014 04:11:51 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Request for linux-distros list membership Anthony, Roland, all - I've subscribed Anthony to linux-distros today, for Amazon Linux AMI. Let me use this opportunity to remind the people already on linux-distros and distros lists that I'd appreciate their help in ensuring that list policies are met. While I help host these lists, I never volunteered to be the (only) policeman. ;-) I posted three messages to distros today (right after subscribing Anthony) requesting that coordinated disclosure dates on specific issues be clarified and kept within the maximum of 14 to 19 days (depending on day of week) as stated here: http://oss-security.openwall.org/wiki/mailing-lists/distros In fact, way shorter than the maximum embargo periods are preferred (and are often used), which is also stated on that wiki page. So, can someone already on linux-distros and distros please volunteer to keep track of all issues being brought to these lists (yes, all issues - including those that don't affect your distro) and ensure that each one of them promptly gets assigned at least a tentative public disclosure date, that such date is within list policy, that the issue is in fact publicly disclosed on that date, and that the disclosure includes a mandatory posting specifically to oss-security (as well as to anywhere else the disclosing person likes to post)? If any of these requirements are violated (or are about to be violated), please yell on the (private) list (CC'ing the external reporter of the issue, if applicable) until the violation ceases. Any volunteer(s)? Anthony, can it be you? I deliberately didn't ask you before subscribing you, because volunteering for this job is in no way a precondition for list membership, but it would happen to be an extra justification. ;-) On Fri, Apr 18, 2014 at 05:32:48PM +0200, rf@...eap.de wrote: > Just a remark from somebody who's request for linux-distros membership > was turned down: I think in case the AMI membership will be granted, you > need to provide a clear explanation why Qlustar's wasn't. Better: Setup > some clear criteria for when membership is possible and when not. I am hosting these lists at Openwall for benefit of the oss-security community, so decisions are made based on opinions expressed in here, with the exception that I won't do things I find obviously wrong (someone else would need to volunteer to host the lists if my personal opinion would ever be incompatible with what would appear to be the community's sentiment). Based on the discussions so far, I don't have a strong "obviously wrong" feeling towards any of the four possibilities for AMI's and Qlustar's (non-)subscription, although I do feel there's a significantly stronger case for subscribing AMI and a fairly strong case for _not_ subscribing Qlustar, so it'd be weird to subscribe Qlustar and not subscribe AMI. Here are some reasons in favor of subscribing AMI, which are not present for Qlustar, in arbitrary order: - AMI appears to have a use for advance notifications for components of the entire distro, not just Linux kernel. - Some community support for getting AMI onto the list. - Some community support for getting the specific Amazon person on the list as the representative for AMI. - The person's track record of contributing to upstream Open Source software and in security relevant areas (QEMU development). - No opposition to subscribing Amazon Linux AMI. For Qlustar, there was not exactly opposition, but no one was convinced that Qlustar should be subscribed when I specifically asked: http://www.openwall.com/lists/oss-security/2014/01/23/6 - Amazon Linux AMI having a significant userbase, which is unclear for Qlustar yet. When the first request to subscribe Qlustar was made, IIRC my Google web search for it found surprisingly few results (like 20), and even fewer not on Qlustar's own sites. This has improved since: a Google web search for "Qlustar" (in quotes) gives "About 2,060 results" results now, although there's relatively little vendor-independent content (postings other than by or forwarded from Roland, etc.) Hitting "Next" exhausts the actual distinct search results on page 6, saying "In order to show you the most relevant results, we have omitted some entries very similar to the 57 already displayed." About the best potentially independent comments on Qlustar I found now are these two: http://www.microway.com/hpc-tech-tips/sc13-highlights/ "Qlustar There are a lot of choices out there to consider when selecting software for your cluster. The product Qlustar will likely be of great interest to those who prefer a Debian/Ubuntu-based approach. Its special because building up an HPC cluster from these distributions usually requires additional effort. Qlustar is also unique in its built-in support for ZFS, LUSTRE (on top of ZFS) and HA." and: http://ubuntuhpc.wikia.com/wiki/HPC_Linux_Cluster_with_Ubuntu_Wiki "If you want to have serious HPC clustering software for Debian/Ubuntu look at Qlustar" Oh, the second one was a wiki edit from an IP address that resolves back to ns2.q-leap.de, so clearly not independent. So at most one maybe independent comment on Qlustar I could find. Does it not have 2+ users who would say anything on the web? It certainly appears so from the few minutes I spent web searching. (And Microway's is based on conference attendance, so probably not from a user.) And no, I don't mean to encourage creating a fake web presence. I actually appreciate Roland's sincerity in this matter very much. I understand it takes effort and time to gain adoption for a new distro. It's just that maybe it's not time for Qlustar to increase the risk exposure for others, for the benefit of extremely few users. BTW, contrary to what some people guess (I heard them say so), there was essentially no userbase size filter on the old vendor-sec. This is a new thing I am suggesting here. I would probably not suggest it if I saw a normal, small userbase distro. But a distro where I can't find any userbase at all? Hmm. I do think Roland is acting in good faith, and the distro is indeed real, but let's not forget that if we start accepting zero-userbase distros, someone might be tempted to create a fake distro just for this purpose. I think as a minimum we should require that someone who has already made contributions to this community has vouched for the new distro and for the specific person. If not, we should not satisfy the request. Anything less just invites abuse attempts. We should also require at least some visible userbase. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ