Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Feb 2016 23:48:16 -0700
From: Scotty Bauer <sbauer@....utah.edu>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts about security of Linux distributor
 collaboration platforms, bugtrackers for opensource software

I assume most severe linux bugs are going through the distros list which does exactly as you describe in your mail...

http://oss-security.openwall.org/wiki/mailing-lists/distros

On 02/12/2016 10:52 PM, halfdog wrote:
> Hello List,
> 
> As just written in a mail to another list, this might also be
> interesting for discussion here.:
> 
> As it would be the most natural thing for e.g. NSA, China, ... (those
> with capabilities to monitor large amount of network traffic) to just
> record all mails from large-scale Linux distribution collaboration and
> issue tracking systems containing the keyword "security", and as this is
> very cheap way to get to near-zero day material, I would assume, that
> this is already done. This is like serving them zero days on a golden
> plate.
> 
> Hence really critical security material perhaps should not go to such
> platforms, e.g. Ubuntu Launchpad, or the platform should be modified to
> send security issues only in encrypted mails without talkative title,
> members without mail public key registered should get only message "Bug
> [Number]: Info changed" including the HTTPS link to the issue in the
> platform.
> 
> What do you think?
> 
> Does someone have a link to anyone having access to the selector lists
> leaked by Snowden to ask them, which of the distros are already in scope
> or otherwise to discard this e-mail as pure paranoia?
> 
> Kind regards,
> hd
> 
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ