Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 4 Jun 2014 22:00:21 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: kseifried@...hat.com, Monty Ijzerman <mijzerman@...are.com>
Subject: Re: Request for linux-distros subscription

On Wed, Jun 04, 2014 at 09:43:05PM -0700, Ramon de C Valle wrote:
> > [1] if they are added then by that logic we need to add every product
> > which has virtualization support or a ported environment that can run
> > Linux (busybox anyone?) which is basically crazy.
> This statement just enforces what I said above. There are so many
> problems in this statement that I don't even know where to start. It
> is my understanding that you're comparing ESXi with BusyBox, although
> they're different things and ESXi uses BusyBox (which you probably
> didn't know).
> 
> If we enter in the merit of virtualization products (and cloud
> services), you may or may not have noticed but the majority of them
> are already subscribed (albeit indirectly) but VMware. Amazon,
> Canonical, Oracle, Red Hat, are all present. Let's assume, for
> example, that a critical vulnerability in a critical OSS that affects
> not only the Linux distributions but also the virtualization products
> (and cloud services) of any of the companies mentioned above is
> disclosed on the list. We both know that this information will be used
> not only to fix the vulnerability in the Linux distributions but also
> in all the other products and services of these companies in advance.
> Don't you think it's a bit unfair? I could easily assume that you are
> biased towards VMware not being subscribed to the list. But we aren't
> going to enter in that merit, are we?

Wait, companies aren't on these lists to "fix things in advance", they
are on them to help resolve the issues with the community members of the
OSS projects, and to help prepare for the announcement in an organized
manner.  The fact that they work _with_ the community projects is a
major thing here.  It is not a one-way street at all.

I'm sure if anyone is found to be "fixing things in products ahead of
time", that will be addressed properly, but that is _not_ the reason
this group is here for at all from what I can tell (note, I'm not on the
list, but was on vendor-sec for years, and never saw any "fixes ahead of
time" there that were not just honest mistakes.)

> So far I have explained many reasons why we should be subscribed to
> the list, yet you haven't explained any why we shouldn't (despite the
> "you're not a Linux distribution" above, which I have said myself in
> my very first post).

What specific OSS products are you relying on that you wish to have
advance notice of vulnerabilities in?  As you aren't a public Linux
distro, it's hard to find a list anywhere about what exact code bases
you are concerned about tracking here.

Well, except for the previously mentioned huge Linux driver code base
(i.e. the thing that runs your flagship product) but I've already stated
my objection there for why you should not be allowed access to any
"special" knowledge there.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.