Date: Fri, 25 Apr 2014 08:16:47 -0700 From: Anthony Liguori <aliguori@...zon.com> To: <oss-security@...ts.openwall.com> Subject: Re: Request for linux-distros list membership On 04/24/14 17:34, Solar Designer wrote: > So, can someone already on linux-distros and distros > please volunteer to keep track of all issues being > brought to these lists (yes, all issues - including those > that don't affect your distro) and ensure that each one > of them promptly gets assigned at least a tentative > public disclosure date, that such date is within list > policy, that the issue is in fact publicly disclosed on > that date, and that the disclosure includes a mandatory > posting specifically to oss-security (as well as to > anywhere else the disclosing person likes to post)? If > any of these requirements are violated (or are about to > be violated), please yell on the (private) list (CC'ing > the external reporter of the issue, if applicable) until > the violation ceases. Any volunteer(s)? This sounds like a terrible job for a human but a simple job for a script. I think all it really requires is having an agreed upon way to take disclosure dates. It is then simple to have a script that (1) complains when (disclosure date - thread creation date) > max embargo period (2) complains when a disclosure date has been exceeded without an indication that there has been a public statement. The nice thing about using on-list tagging is that it keeps all of the state on list such that anyone can run the bot on their own. I would propose we use a system like: X-Disclosure-Date: 2014-06-01 To set/update the disclosure date for a given thread. To indicate that something has been disclosed: X-Disclosed-On: 2014-06-02T05:00:00Z I can watch threads for now and make sure metadata is getting tagged but hopefully over time all list members will participate making it not depend on one person. If no one objects, I'll put something together and send out a pointer to the code. Regards, Anthony Liguori
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ