Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Oct 2019 12:08:48 -0700
From: "Srivatsa S. Bhat" <srivatsa@...il.mit.edu>
To: oss-security@...ts.openwall.com
Cc: Steven Rostedt <rostedt@...dmis.org>, sashal@...nel.org,
 amakhalov@...are.com, anishs@...are.com, Sharath George
 <sharathg@...are.com>, mijzerman@...are.com,
 Srivatsa Bhat <srivatsab@...are.com>,
 "Srivatsa S. Bhat" <srivatsa@...il.mit.edu>
Subject: Membership application for linux-distros - VMware

Hello!

I would like to apply for membership to the linux-distros list for
VMware Photon OS.

> 1. Be an actively maintained Unix-like operating system distro with
> substantial use of Open Source components

Photon OS is a fully open-source RPM-based Linux distribution built
and maintained by VMware. We have released 3 major versions of the
distro so far (starting with Photon OS 1.0 back in 2015), and all of
them are being actively maintained with regular package updates to fix
bugs and security vulnerabilities.

https://vmware.github.io/photon/
https://github.com/vmware/photon



> 2. Have a userbase not limited to your own organization

Photon OS images are publicly available for download for various
platforms:

- ISOs for x86_64 and ARM64
- Images for Raspberry Pi
- Docker images
- OVAs
- Cloud images for AWS, GCE and Azure

As for consumption apart from VMware's internal use, Photon OS is
included in various software products shipped to customers, as the
base Operating System for many of VMware's Virtual Appliances (eg:
vCenter).

Beyond VMware, Photon OS is used by industry partners and hobbyists.

Here are some statistics to give a picture of overall Photon OS usage,
and some metrics to quantify the participation from external users:

Photon OS package download trends from bintray:
https://bintray.com/vmware/photon/3.0/GA#statistics

Photon OS docker images have been downloaded over 1M times:
https://hub.docker.com/_/photon/

External feature/bug-fix requests to Photon OS:
https://github.com/vmware/photon/issues

External contributions to Photon OS:
https://github.com/vmware/photon/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aclosed+no%3Alabel



> 3. Have a publicly verifiable track record, dating back at least 1
> year and continuing to present day, of fixing security issues
> (including some that had been handled on (linux-)distros, meaning that
> membership would have been relevant to you) and releasing the fixes
> within 10 days (and preferably much less than that) of the issues
> being made public (if it takes you ages to fix an issue, your users
> wouldn't substantially benefit from the additional time, often around
> 7 days and sometimes up to 14 days, that list membership could give
> you)

We maintain Security Advisories for all versions of Photon OS on our
Github wiki (dating back to several years):

https://github.com/vmware/photon/wiki/Security-Advisories

Recent examples of fixing security vulnerabilities in a timely manner
include:

1. TCP SACK PANIC (CVE-2019-11477, CVE-2019-11478, CVE-2017-11479):

   https://github.com/vmware/photon/wiki/Security-Updates-3.0-0021
   https://github.com/vmware/photon/wiki/Security-Updates-2-165
   https://github.com/vmware/photon/wiki/Security-Updates-1.0-240

   Public CVE disclosure date: 17-Jun-2019
   Photon updates for linux kernel package released: 20-Jun-2019

2. Container escape due to runC vulnerability (CVE-2019-5736):

   https://github.com/vmware/photon/wiki/Security-Updates-3.0-0001  
   https://github.com/vmware/photon/wiki/Security-Updates-2-128
   https://github.com/vmware/photon/wiki/Security-Updates-1.0-208

   Public CVE disclosure date: 11-Feb-2019
   Photon updates for docker package released: 12-Feb-2019

3. Privilege escalation with sudo (CVE-2019-14287):

   https://github.com/vmware/photon/wiki/Security-Updates-1.0-254
   https://github.com/vmware/photon/wiki/Security-Updates-2-183
   https://github.com/vmware/photon/wiki/Security-Updates-3.0-0035

   Public CVE disclosure date: 14-Oct-2019
   Photon updates for sudo package released: 17-Oct-2019



> 4. Not be (only) downstream or a rebuild of another distro (or else we
> need convincing additional justification of how the list membership
> would enable you to release fixes sooner, presumably not relying on
> the upstream distro having released their fixes first?)

Photon OS is not derived from any other distro. All Photon packages
are built directly from their corresponding upstream sources, with
additional patches on top to add features, fix bugs etc., as needed.
The Photon OS team entirely owns the release pipeline and is solely
responsible for releasing fixes to vulnerable packages. Thus, getting
to know about security issues sooner would help us prepare and test
fixes early and make them available to our users as quickly as
possible after the public disclosure of the vulnerabilities.



> 5. Be a participant and preferably an active contributor in relevant
> public communities (most notably, if you're not watching for issues
> being made public on oss-security, which are a superset of those that
> had been handled on (linux-)distros, then there's no valid reason for
> you to be on (linux-)distros)

Beyond monitoring security issues actively, several members of the
Photon OS team regularly contribute patches to the Linux kernel,
particularly in terms of backporting security fixes to the upstream
LTS stable trees. For example, I contributed backports of the fixes
for Spectre-v2 (IBPB/IBRS) and Speculative Store Bypass vulnerability
(over 100 patches in total), to the upstream Linux 4.4.y stable
series.

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-4.4.y&qt=grep&q=Signed-off-by:+Srivatsa+S.+Bhat



> 6. Accept the list policy (see above)

We are happy to accept the list policy.



> 7. Be able and willing to contribute back (see above), preferably in
> specific ways announced in advance (so that you're responsible for a
> specific area and so that we know what to expect from which member),
> and demonstrate actual contributions once you've been a member for a
> while

We would like to volunteer for the following tasks (but we would love
your suggestions on taking up other tasks instead, depending on the
current needs of the list).

Technical:

4. Check if related issues exist in the same piece of software (e.g.,
same bug class common across the software, or other kinds of bugs
exist in its problematic component), and inform the list either way -
primary: Ubuntu, backup: vacant

Administrative:

5. Determine if the reported issues are Linux-specific, and if so help
ensure that (further) private discussion goes on the linux-distros
sub-list only (thus, not spamming and unnecessarily disclosing to the
non-Linux distros) - primary: SUSE, backup: vacant



> 8. Be able and willing to handle PGP-encrypted e-mail

Of course.



> 9. Have someone already on the private list, or at least someone else
> who has been active on oss-security for years but is not affiliated
> with your distro nor your organization, vouch for at least one of the
> people requesting membership on behalf of your distro (then that one
> vouched-for person will be able to vouch for others on your team, in
> case you'd like multiple people subscribed)

Sasha Levin <sashal@...nel.org> has graciously agreed to vouch for
Steven Rostedt <rostedt@...dmis.org>, who is a part of the Open Source
Technology Center at VMware. Steven, in turn, will vouch for me,
(Srivatsa S. Bhat <srivatsa@...il.mit.edu>) and I'll represent the
Photon OS team on the list.


Regards,
Srivatsa
VMware Photon OS



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.