Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Apr 2015 14:47:01 +0000
From: Sona Sarmadi <sona.sarmadi@...a.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: RE: membership request  to the closed linux-distros
 security mailing list

> On Fri, Mar 20, 2015 at 02:00:29PM +0100, Sona Sarmadi wrote:
> > On behalf of Enea  Software AB, I would like to request membership to
> > the closed linux-distros security mailing list.
> 
> Oh, recent attention to OpenSSL does wonders.  I already got off-list
> reminders from IBM and VMware this same week.
> 
> Of course, this is primarily about PR, and only secondarily about security.  But
> should this be stopping us, if early security updates are also, unsurprisingly,
> good for security?
> 
> OK, we got to handle these requests, and more.  Yes, there were several
> more off-list requests (obviously, they would not be handled without
> bringing them to oss-security first) during the 11 months that distros list
> membership has essentially been locked (in terms of which distros are
> represented; there were minor changes in who is subscribed for distros
> already on the list).
> 
> Oh, and I need to announce that one distro left the list earlier this
> month: the person previously subscribed for Android determined that "the
> mail going to those lists hasn't been actionable" for Android.
> 
> So, our options are:
> 
> 1. Shut down the (linux-)distros lists and be done with this. ;-)  To me, they
> were more clearly doing more good than bad when they were a subset of
> the old vendor-sec.  With more membership requests coming in, and with
> simply ignoring such requests being unfair, maybe the time of these lists is
> over.  No, this does not mean that's my current opinion, but when doing
> something as controversial as this, I think we should at all times be
> reconsidering whether the "more good than bad" condition is possibly no
> longer met.  (Of course, some people are convinced that it never was.  I am
> not.  Rather, I am unsure.)

This is probably not a good idea, considering such an increasing interest for this list :)
 
> -OR-
> 
> 2. We can just go ahead and review each request for acceptance for the
> existing (linux-)distros lists.  In this case, we'd be less likely to satisfy all of the
> pending requests.  And maybe we should question the subscription of
> Amazon Linux AMI, MontaVista, and Wind River, which are now linux-distros
> members.
> 
> -OR-
> 
> 3. Setup a separate list for primarily non-free software and primarily non-
> software vendors.  Of the existing linux-distros members, maybe Amazon
> Linux AMI, MontaVista, and Wind River should be moved there.
> (Maybe also Chrome OS?)  And then maybe Enea and VMware would
> reasonably be added, too.  Not sure if IBM is non-free enough to be
> restricted to that list.
> 
> The idea behind such list is that we'd let people decide who they want to
> notify: all distros (including this separate list) or just the more free'ish subset
> (not including this separate list).

Is there any reason for this separation? Is this something the upstream projects desire? We all want the same thing, we all care about security, that is why people want to be on this list. Is this an attempt to punish companies and their open source users just because these companies also have closed source products? What is unfree with Enea Linux?

I think it is good that more people show interest in security and want to be on the list. If being on this list helps security updates to spread more quickly, why not let these people/distros in as long as they are serious, reliable and follow the rules and processes.

Regards
//Sona

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.