Date: Sun, 2 Jul 2017 17:29:25 +0300 From: Igor Seletskiy <i@...udlinux.com> To: oss-security@...ts.openwall.com Subject: linux-distros list membership application - CloudLinux Hello Everyone, I would like to apply for membership in linux-distros list for CloudLinux OS. Please, see application attached. 1. Be an actively maintained Unix-like operating system distro with substantial use of Open Source components CloudLinux OS https://www.cloudlinux.com is RPM based distribution launched in 2010 based on RedHat EL (most of the packages) and OpenVZ (kernel). We customize and add multiple RPMs (like Apache, PHP, python, ruby, MySQL, MariaDB and some others) as well as the kernel. Source code available at: http://repo.cloudlinux.com/cloudlinux/6/updates/SRPMS/ http://repo.cloudlinux.com/cloudlinux/7/updates/Sources/SPackages/ 2. Have a userbase not limited to your own organization We have around 4,000 companies (mostly hosting providers) using CloudLinux OS across ~40,000 servers to host ~20,000,000 domains 3. Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing security issues (including some that had been handled on (linux-)distros, meaning that membership would have been relevant to you) and releasing the fixes within 10 days (and preferably much less than that) of the issues being made public (if it takes you ages to fix an issue, your users wouldn't substantially benefit from the additional time, often around 7 days and sometimes up to 14 days, that list membership could give you) We typically have to patch local privilege escalations in kernel asap as our customers are easily rooted using this type of vulnerabilities (anyone can buy website or hack old wordpress instance & run any code). Some records: The stack clash (Jun 21, 2016): https://www.cloudlinux.com/cloudlinux-os-blog/entry/cve-2017-1000364-fixed-for-cloudlinux-7 Dirty Cow (Oct 21rd, 2016): https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-dirty-cow-issue-fixed Ghost (Jan 27, 2015): https://www.cloudlinux.com/cloudlinux-os-blog/entry/glibc-ghost-remote-vulnerability-cve-2015-0235 4. Not be (only) downstream or a rebuild of another distro (or else we need convincing additional justification of how the list membership would enable you to release fixes sooner, presumably not relying on the upstream distro having released their fixes first?) Our kernel has significant amount of changes comparing to OpenVZ kernel We also do slight modifications to Apache web server, ship customized versions of PHP (multiple versions), python, ruby, MySQL and MariaDB that are packaged by us, and not taken from upstream. 5. Be a participant and preferably an active contributor in relevant public communities (most notably, if you're not watching for issues being made public on oss-security, which are a superset of those that had been handled on (linux-)distros, then there's no valid reason for you to be on (linux-)distros) We are actively watching for issues on oss-security, but usually, the issues that relevant to us are already fixed by upstream distributions -- so we didn't feel we can contribute much. I think our kernel developers can help with some of the work -- once we have the information in advance. Right now they are mostly addopting patches from up-stream, as they are already there... 6. Accept the list policy: http://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and- instructions-for-members (also quoted below) Please consider this note as acceptance of the list policy. 7. Be able and willing to contribute back, preferably in specific ways announced in advance (so that you're responsible for a specific area and so that we know what to expect from which member), and demonstrate actual contributions once you've been a member for a while: http://oss-security.openwall.org/wiki/mailing-lists/distros #contributing-back (also quoted below) We would be happy to help with administrative tasks: 1. Promptly review new issue reports for meeting the list's requirements and confirm receipt of the report and, when necessary, inform the reporter of any issues with their report (e.g., obviously not actionable by the distros) and request and/or propose any required yet missing information (most notably, a tentative public disclosure date) 2. If the proposed public disclosure date is not within list policy, insist on getting this corrected and propose a suitable earlier date And possibly more in the future, as we have a better understanding of the amount of work needed to handle those tasks. We will need some handholding at first to make sure we do things correctly. 8. Be able and willing to handle PGP-encrypted e-mail Please, find PGP related info Leonid Kanter <lkanter@...udlinux.com> GPG Key: 0x400296079AE5954F (download <https://email@example.com>) GPG Fingerprint: A07D AA47 48B2 C445 6A44 9B38 4002 9607 9AE5 954F Igor Seletskiy <i@...udlinux.com> GPG Key: 0xCD7BB36D66B77E0D (download <https://firstname.lastname@example.org>) GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D Konstantin Olshanov <kolshanov@...udlinux.com> GPG Key: 0x891E1FDBF34ED0FD (download <https://email@example.com>) GPG Fingerprint: B502 0D7C BB2C 674C 6387 FBDC 891E 1FDB F34E D0FD 9. Have someone already on the private list, or at least someone else who has been active on oss-security for years but is not affiliated with your distro nor your organization, vouch for at least one of the people requesting membership on behalf of your distro (then that one vouched-for person will be able to vouch for others on your team, in case you'd like multiple people subscribed) Dmitry V. Levin <ldv@...linux.org>, Chief Architect, ALT Linux can vouch for Leonid Kanter. Regards, Igor Seletskiy | CEO CloudLinux OS <https://cloudlinux.com/cloudlinuxos> | KernelCare <https://www.cloudlinux.com/kernelcare> | Imunify360 <http://imunify360.com/> Get 24/7 free, exceptionally good support at cloudlinux.zendesk.com Follow us on twitter for technical updates: @CloudLinuxOS <https://twitter.com/cloudlinuxos>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ