Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Jun 2017 20:00:53 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: unresponsive distros

Hi,

A certain issue being handled on the distros list provided for a
particularly good opportunity for me to test whether/which distros are
actually paying attention and intend to respond to issues during the
embargo period.  In the middle of a lengthy thread with a somewhat
generic Subject (since it travels unencrypted), I asked literally all
(and I emphasized that) distros to respond to the thread with status
updates regarding their handling of the issue.  That was on May 27.
I gave distros time until May 30 (Tuesday) to respond.  I then gave them
about 2 days more, as you can see.

Most distros responded, with varying amount of detail.  But 3 did not:

FreeBSD
Amazon Linux AMI
MontaVista Software

We had heard from FreeBSD earlier in the thread, although I would have
expected them to reply to the specific request as well (and I did say so
explicitly).  Maybe it's fatigue from too many encrypted messages, most
of which happen to be focusing on Linux-specific aspects of the issue.
That's not great at all, but it is somewhat understandable.  Part of the
problem is that when an issue is potentially relevant to both *BSD and
Linux, we're rarely careful to separate postings and sub-threads between
the distros and linux-distros lists, resulting in "spamming" (and risk
of leaks) of the Linux-specific aspects to (and via) the *BSD's.  This
is something for us all to improve.  (Some of the sub-threads were in
fact correctly separated to go only to linux-distros in this present
case, though.)

As to Amazon and MontaVista, it is likely they'll have to leave the
distros list for inactivity.

As far as I can tell, last posting/reply on the (linux-)distros list by
Amazon was in July 2016 and before that in November 2014.  As far as I
can tell, MontaVista never posted to the list.  Being a user of the info
only, without participation in discussions, is not strictly disallowed,
but this time it's coupled with lack of response when specifically asked
to respond, and on an issue that is at least potentially relevant to the
distros (not just a responsiveness test).

At this point, there will have to be a very good reason to justify
keeping Amazon and MontaVista on the list.  Is there any?

OTOH, there's just one person subscribed for each of Amazon and
MontaVista, and all messages are encrypted to the recipient's own keys
(but of course the headers are unencrypted, including the Subjects).
So e.g. an unattended mailbox isn't that much of a risk.

I am not going to ping Amazon and MontaVista directly (just like I did
not ping NetBSD directly last month, although others promptly did
anyway).  If they missed the messages on the distros list and also miss
the message here, so be it.

While I am at it: there have been 3624 messages on linux-distros (and a
subset of those on distros) since the list was setup on April 3, 2011
and until today.  That's about 1.6 messages per day on average, but
sometimes there are spikes (like there is now) and sometimes there are
quiet periods.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ