Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Apr 2014 08:16:47 -0700
From: Anthony Liguori <aliguori@...zon.com>
To: <oss-security@...ts.openwall.com>
Subject: Re: Request for linux-distros list membership

On 04/24/14 17:34, Solar Designer wrote:
> So, can someone already on linux-distros and distros
> please volunteer to keep track of all issues being
> brought to these lists (yes, all issues - including those
> that don't affect your distro) and ensure that each one
> of them promptly gets assigned at least a tentative
> public disclosure date, that such date is within list
> policy, that the issue is in fact publicly disclosed on
> that date, and that the disclosure includes a mandatory
> posting specifically to oss-security (as well as to
> anywhere else the disclosing person likes to post)?  If
> any of these requirements are violated (or are about to
> be violated), please yell on the (private) list (CC'ing
> the external reporter of the issue, if applicable) until
> the violation ceases.  Any volunteer(s)?

This sounds like a terrible job for a human but a simple job for a
script.  I think all it really requires is having an agreed upon way to
take disclosure dates.  It is then simple to have a script that (1)
complains when (disclosure date - thread creation date) > max embargo
period (2) complains when a disclosure date has been exceeded without an
indication that there has been a public statement.

The nice thing about using on-list tagging is that it keeps all of the
state on list such that anyone can run the bot on their own.

I would propose we use a system like:

X-Disclosure-Date: 2014-06-01

To set/update the disclosure date for a given thread.  To indicate that
something has been disclosed:

X-Disclosed-On: 2014-06-02T05:00:00Z

I can watch threads for now and make sure metadata is getting tagged but
hopefully over time all list members will participate making it not
depend on one person.  If no one objects, I'll put something together
and send out a pointer to the code.

Regards,

Anthony Liguori

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.