Date: Sun, 15 Jan 2017 03:37:20 +0100 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: linux-distros subscription Hi Michal, On Fri, Jan 13, 2017 at 10:36:11AM +0100, Michal Hrusecky wrote: > I would like to request subscription to linux-distros mailing list. I'm one of > the maintainers of Turris OS - OpenWRT fork used on Turris and Turris Omnia > routers. > > Not sure what has to be part of application, on wiki I found only that I > should request it here. Right. This basically tells us there's interest, and from whom and for what reasons. That's useful, so thanks for posting your request. However, in practice the list membership has been frozen since the last distro addition in April 2014, so for almost 3 years now. Since then, there were only removals and changes in who's subscribed for the previously accepted distros. Perhaps we'll be forced to re-open this can of worms, or shut down these lists for good. Simply keeping them frozen is unfair to new distros requesting membership now. Simply accepting all who request membership based on mostly objective criteria yet without introducing distro's userbase size as a criterion is, in my opinion, going to make things worse overall (in terms of balance of benefit to users vs. risk of leaks). Yet we might, as long as the benefit-risk is still deemed to be positive (even if less than now). Just to be fair. Here's a thread from 2015 with some half-baked thoughts on the issues: http://www.openwall.com/lists/oss-security/2015/03/20/5 Here are some recent requests: http://www.openwall.com/lists/oss-security/2016/10/21/2 http://www.openwall.com/lists/oss-security/2016/10/25/2 What's common about the timing of these: they were triggered by vulnerabilities that attracted a lot of media attention. This may be primarily about publicity and checklists ("our competitors are on that list, we should be too") and only secondarily about security. I do value the persistence of some distros/people reminding me about their requests, though - suggesting their interest is more likely genuine. And your request isn't nearly that "badly" timed. ;-) > Probably you will need some proof that I'm who I claim to be. You can see bunch > of commits on our gitlab (signed by the same key I'm using to sign this > mail) and you can reach me and some of my colleagues on security@...ris.cz > e-mail alias that is also listed as security contact on our web. > > We have infrastructure in place to work on embargoed issues without disclosing > them to public. Not sure whether there are any other requirements to meet. If > so, please let me know. > >  https://omnia.turris.cz/en/ >  http://oss-security.openwall.org/wiki/mailing-lists/distros >  https://gitlab.labs.nic.cz/turris/openwrt/commits/test >  https://www.turris.cz/en/contacts What would have been some recent issue likely handled via the distros list (this is often stated in the follow-up postings on oss-security, albeit not always) where the advance notification would have helped your project release a fix substantially sooner? I notice you fixed OpenSSL CVE-2016-7056 promptly: https://gitlab.labs.nic.cz/turris/openwrt/commit/9aa88e76e70250dd219e8e228162bde045ade4f9 However, that issue wasn't on the distros list. I also notice you've been on oss-security for half a year. That's good. However, I wasn't able to find any record of your past participation in this specific community. You might want to get more involved first. And if/when we do re-open the list for additional distros, you'll be able to re-request membership. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ