Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Jul 2017 17:29:25 +0300
From: Igor Seletskiy <i@...udlinux.com>
To: oss-security@...ts.openwall.com
Subject: linux-distros list membership application - CloudLinux

Hello Everyone,

I would like to apply for membership in linux-distros list for CloudLinux
OS. Please, see application attached.

1. Be an actively maintained Unix-like operating system distro with
substantial use of Open Source components
CloudLinux OS https://www.cloudlinux.com is RPM based distribution launched
in 2010 based on RedHat EL (most of the packages) and OpenVZ (kernel). We
customize and add multiple RPMs (like Apache, PHP, python, ruby, MySQL,
MariaDB and some others) as well as the kernel. Source code available at:
http://repo.cloudlinux.com/cloudlinux/6/updates/SRPMS/
http://repo.cloudlinux.com/cloudlinux/7/updates/Sources/SPackages/

2. Have a userbase not limited to your own organization
We have around 4,000 companies (mostly hosting providers) using CloudLinux
OS across ~40,000 servers to host ~20,000,000 domains

3. Have a publicly verifiable track record, dating back at least 1 year
and continuing to present day, of fixing security issues (including some
that had been handled on (linux-)distros, meaning that membership would
have been relevant to you) and releasing the fixes within 10 days (and
preferably much less than that) of the issues being made public (if it
takes you ages to fix an issue, your users wouldn't substantially
benefit from the additional time, often around 7 days and sometimes up
to 14 days, that list membership could give you)
We typically have to patch local privilege escalations in kernel asap as
our customers are easily rooted using this type of vulnerabilities (anyone
can buy website or hack old wordpress instance & run any code).

Some records:
The stack clash (Jun 21, 2016):
https://www.cloudlinux.com/cloudlinux-os-blog/entry/cve-2017-1000364-fixed-for-cloudlinux-7
Dirty Cow (Oct 21rd, 2016):
https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-dirty-cow-issue-fixed
Ghost (Jan 27, 2015):
https://www.cloudlinux.com/cloudlinux-os-blog/entry/glibc-ghost-remote-vulnerability-cve-2015-0235


4. Not be (only) downstream or a rebuild of another distro (or else we
need convincing additional justification of how the list membership
would enable you to release fixes sooner, presumably not relying on the
upstream distro having released their fixes first?)
Our kernel has significant amount of changes comparing to OpenVZ kernel
We also do slight modifications to Apache web server, ship customized
versions of PHP (multiple versions), python, ruby, MySQL and MariaDB that
are  packaged by us, and not taken from upstream.

5. Be a participant and preferably an active contributor in relevant
public communities (most notably, if you're not watching for issues
being made public on oss-security, which are a superset of those that
had been handled on (linux-)distros, then there's no valid reason for
you to be on (linux-)distros)
We are actively watching for issues on oss-security, but usually, the
issues that relevant to us are already fixed by upstream distributions --
so we didn't feel we can contribute much. I think our kernel developers can
help with some of the work -- once we have the information in advance.
Right now they are mostly addopting patches from up-stream, as they are
already there...

6. Accept the list policy:
http://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-
instructions-for-members
(also quoted below)
Please consider this note as acceptance of the list policy.

7. Be able and willing to contribute back, preferably in specific ways
announced in advance (so that you're responsible for a specific area and
so that we know what to expect from which member), and demonstrate
actual contributions once you've been a member for a while:
http://oss-security.openwall.org/wiki/mailing-lists/distros
#contributing-back
(also quoted below)
We would be happy to help with administrative tasks:

   1. Promptly review new issue reports for meeting the list's requirements
   and confirm receipt of the report and, when necessary, inform the reporter
   of any issues with their report (e.g., obviously not actionable by the
   distros) and request and/or propose any required yet missing information
   (most notably, a tentative public disclosure date)
   2. If the proposed public disclosure date is not within list policy,
   insist on getting this corrected and propose a suitable earlier date

And possibly more in the future, as we have a better understanding of the
amount of work needed to handle those tasks.
We will need some handholding at first to make sure we do things correctly.


8. Be able and willing to handle PGP-encrypted e-mail
Please, find PGP related info

Leonid Kanter <lkanter@...udlinux.com>

GPG Key: 0x400296079AE5954F (download
<https://cryptup.org/pub/lkanter@...udlinux.com>)
GPG Fingerprint: A07D AA47 48B2 C445 6A44  9B38 4002 9607 9AE5 954F

Igor Seletskiy <i@...udlinux.com>

GPG Key: 0xCD7BB36D66B77E0D (download
<https://cryptup.org/pub/i@...udlinux.com>)

GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D

Konstantin Olshanov <kolshanov@...udlinux.com>
GPG Key: 0x891E1FDBF34ED0FD (download
<https://cryptup.org/pub/kolshanov@...udlinux.com>)
GPG Fingerprint: B502 0D7C BB2C 674C 6387  FBDC 891E 1FDB F34E D0FD


9. Have someone already on the private list, or at least someone else
who has been active on oss-security for years but is not affiliated with
your distro nor your organization, vouch for at least one of the people
requesting membership on behalf of your distro (then that one
vouched-for person will be able to vouch for others on your team, in
case you'd like multiple people subscribed)
Dmitry V. Levin <ldv@...linux.org>, Chief Architect, ALT Linux can vouch
for Leonid Kanter.

Regards,
Igor Seletskiy |  CEO
CloudLinux OS <https://cloudlinux.com/cloudlinuxos>   |   KernelCare
<https://www.cloudlinux.com/kernelcare>   |   Imunify360
<http://imunify360.com/>

Get 24/7 free, exceptionally good support at cloudlinux.zendesk.com
Follow us on twitter for technical updates: @CloudLinuxOS
<https://twitter.com/cloudlinuxos>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ