Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Jan 2017 09:17:15 +0100
From: Michal Hrusecky <Michal.Hrusecky@....cz>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros subscription

Solar Designer -  3:37 15.01.17 wrote:
> Hi Michal,
> 
> On Fri, Jan 13, 2017 at 10:36:11AM +0100, Michal Hrusecky wrote:
> > I would like to request subscription to linux-distros mailing list. I'm one of
> > the maintainers of Turris OS - OpenWRT fork used on Turris and Turris Omnia
> > routers[1].
> > 
> > Not sure what has to be part of application, on wiki[2] I found only that I
> > should request it here.
> 
> Right.  This basically tells us there's interest, and from whom and for
> what reasons.  That's useful, so thanks for posting your request.
> 
> However, in practice the list membership has been frozen since the last
> distro addition in April 2014, so for almost 3 years now.  Since then,
> there were only removals and changes in who's subscribed for the
> previously accepted distros.

Thanks for the info.

> Perhaps we'll be forced to re-open this can of worms, or shut down these
> lists for good.  Simply keeping them frozen is unfair to new distros
> requesting membership now.  Simply accepting all who request membership
> based on mostly objective criteria yet without introducing distro's
> userbase size as a criterion is, in my opinion, going to make things
> worse overall (in terms of balance of benefit to users vs. risk of
> leaks).  Yet we might, as long as the benefit-risk is still deemed to be
> positive (even if less than now).  Just to be fair.

Ok, what I forgot to mention is a user-base. Our distribution is quite small, we
have about 7 thousand users. Our distribution runs on routers we gave away in
the past and new ones that we are selling and both have by default automatic
updates enabled - so they get updates including security ones quite soon after
we release them.

> Here's a thread from 2015 with some half-baked thoughts on the issues:
> 
> http://www.openwall.com/lists/oss-security/2015/03/20/5

Thanks for the context, I understand it is a hard decision.

> Here are some recent requests:
> 
> http://www.openwall.com/lists/oss-security/2016/10/21/2
> http://www.openwall.com/lists/oss-security/2016/10/25/2
> 
> What's common about the timing of these: they were triggered by
> vulnerabilities that attracted a lot of media attention.  This may be
> primarily about publicity and checklists ("our competitors are on that
> list, we should be too") and only secondarily about security.  I do
> value the persistence of some distros/people reminding me about their
> requests, though - suggesting their interest is more likely genuine.
> And your request isn't nearly that "badly" timed. ;-)
> 
> > Probably you will need some proof that I'm who I claim to be. You can see bunch
> > of commits on our gitlab[3] (signed by the same key I'm using to sign this
> > mail) and you can reach me and some of my colleagues on security@...ris.cz
> > e-mail alias that is also listed as security contact on our web[4].
> > 
> > We have infrastructure in place to work on embargoed issues without disclosing
> > them to public. Not sure whether there are any other requirements to meet. If
> > so, please let me know.
> > 
> > [1] https://omnia.turris.cz/en/
> > [2] http://oss-security.openwall.org/wiki/mailing-lists/distros
> > [3] https://gitlab.labs.nic.cz/turris/openwrt/commits/test
> > [4] https://www.turris.cz/en/contacts
> 
> What would have been some recent issue likely handled via the distros
> list (this is often stated in the follow-up postings on oss-security,
> albeit not always) where the advance notification would have helped your
> project release a fix substantially sooner?

Hard to guess what is there. But basically before we release anything we do
test it, so from the point when we learn about the issue, it takes days to
release a fix (after commiting fix, we build binaries, do some testing and only
after that we release it for everybody). What is most important for us is I
would remotely exploitable kernel issues (here testing takes even more time),
openssl, openssh and lighttpd.

> I notice you fixed OpenSSL CVE-2016-7056 promptly:
> 
> https://gitlab.labs.nic.cz/turris/openwrt/commit/9aa88e76e70250dd219e8e228162bde045ade4f9
> 
> However, that issue wasn't on the distros list.
> 
> I also notice you've been on oss-security for half a year.  That's good.
> However, I wasn't able to find any record of your past participation in
> this specific community.  You might want to get more involved first.

Yep, using it as one source of information about vulnerabilities we need to
fix. Was thinking how to respond to the contribution part, other mails helped
me to get some idea what can I do to improve. I admit that I'm new to this
field and I'm here mostly to learn about potential threads to our users.

Company I work for contributes to security in general, but probably not in this
specific community. I'm from CZ.NIC which among other stuff runs Czech CSIRT
team. But that is even different department. What we do in our team regarding
security is probably nothing that would help us to discover new
vulnerabilities. What we do is provide people option to send us firewall logs
and we use the results to build greylist[1] and we allow people to check
whether their IP tried to attack any of our users[2].

[1] https://www.turris.cz/en/greylist
[2] https://amihacked.turris.cz/

Personally, I'm not involved in those projects as I'm working most of the time
on our distribution. I asked for the membership as I would be the one handling
the issues on our end and I understand the need to limit the audience as much
as possible.

> And if/when we do re-open the list for additional distros, you'll be
> able to re-request membership.

Thank you, I will reapply when that happens and in the meantime will think
about suggestions others posted about how to contribute back.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.