Date: Thu, 1 Jun 2017 20:00:53 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: unresponsive distros Hi, A certain issue being handled on the distros list provided for a particularly good opportunity for me to test whether/which distros are actually paying attention and intend to respond to issues during the embargo period. In the middle of a lengthy thread with a somewhat generic Subject (since it travels unencrypted), I asked literally all (and I emphasized that) distros to respond to the thread with status updates regarding their handling of the issue. That was on May 27. I gave distros time until May 30 (Tuesday) to respond. I then gave them about 2 days more, as you can see. Most distros responded, with varying amount of detail. But 3 did not: FreeBSD Amazon Linux AMI MontaVista Software We had heard from FreeBSD earlier in the thread, although I would have expected them to reply to the specific request as well (and I did say so explicitly). Maybe it's fatigue from too many encrypted messages, most of which happen to be focusing on Linux-specific aspects of the issue. That's not great at all, but it is somewhat understandable. Part of the problem is that when an issue is potentially relevant to both *BSD and Linux, we're rarely careful to separate postings and sub-threads between the distros and linux-distros lists, resulting in "spamming" (and risk of leaks) of the Linux-specific aspects to (and via) the *BSD's. This is something for us all to improve. (Some of the sub-threads were in fact correctly separated to go only to linux-distros in this present case, though.) As to Amazon and MontaVista, it is likely they'll have to leave the distros list for inactivity. As far as I can tell, last posting/reply on the (linux-)distros list by Amazon was in July 2016 and before that in November 2014. As far as I can tell, MontaVista never posted to the list. Being a user of the info only, without participation in discussions, is not strictly disallowed, but this time it's coupled with lack of response when specifically asked to respond, and on an issue that is at least potentially relevant to the distros (not just a responsiveness test). At this point, there will have to be a very good reason to justify keeping Amazon and MontaVista on the list. Is there any? OTOH, there's just one person subscribed for each of Amazon and MontaVista, and all messages are encrypted to the recipient's own keys (but of course the headers are unencrypted, including the Subjects). So e.g. an unattended mailbox isn't that much of a risk. I am not going to ping Amazon and MontaVista directly (just like I did not ping NetBSD directly last month, although others promptly did anyway). If they missed the messages on the distros list and also miss the message here, so be it. While I am at it: there have been 3624 messages on linux-distros (and a subset of those on distros) since the list was setup on April 3, 2011 and until today. That's about 1.6 messages per day on average, but sometimes there are spikes (like there is now) and sometimes there are quiet periods. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ