Date: Fri, 12 Feb 2016 23:48:16 -0700 From: Scotty Bauer <sbauer@....utah.edu> To: oss-security@...ts.openwall.com Subject: Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software I assume most severe linux bugs are going through the distros list which does exactly as you describe in your mail... http://oss-security.openwall.org/wiki/mailing-lists/distros On 02/12/2016 10:52 PM, halfdog wrote: > Hello List, > > As just written in a mail to another list, this might also be > interesting for discussion here.: > > As it would be the most natural thing for e.g. NSA, China, ... (those > with capabilities to monitor large amount of network traffic) to just > record all mails from large-scale Linux distribution collaboration and > issue tracking systems containing the keyword "security", and as this is > very cheap way to get to near-zero day material, I would assume, that > this is already done. This is like serving them zero days on a golden > plate. > > Hence really critical security material perhaps should not go to such > platforms, e.g. Ubuntu Launchpad, or the platform should be modified to > send security issues only in encrypted mails without talkative title, > members without mail public key registered should get only message "Bug > [Number]: Info changed" including the HTTPS link to the issue in the > platform. > > What do you think? > > Does someone have a link to anyone having access to the selector lists > leaked by Snowden to ask them, which of the distros are already in scope > or otherwise to discard this e-mail as pure paranoia? > > Kind regards, > hd > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ