Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 12 Dec 2023 14:35:35 -0600
From: Jonathan Wright <jonathan@...alinux.org>
To: oss-security@...ts.openwall.com
Cc: Andrew Lukoshko <alukoshko@...alinux.org>, benny Vasquez <benny@...alinux.org>, 
	Igor Seletskiy <iseletsk@...alinux.org>, Darya Malyavkina <dmalyavkina@...udlinux.com>, 
	Jack Aboutboul <jack@...alinux.org>
Subject: AlmaLinux Distros List Application

I’m submitting this application on behalf of the AlmaLinux OS Foundation.


Myself (Jonathan Wright) and Andrew Lukoshko, our lead architect, would be
joining if approved.


   1.

   Be an actively maintained Unix-like operating system distro with
   substantial use of Open Source components
   1.

      We are actively maintained and have released 4 minor versions this
      year (8.8, 8.9, 9.2, and 9.3) along with small updates within the minor
      versions, generally at least a few updates per week.
      2.

   Have a userbase not limited to your own organization
   1.

      Our public mirror system alone serves 750k unique systems weekly, and
      is used worldwide for a variety of things.
      3.

   Have a publicly verifiable track record, dating back at least 1 year and
   continuing to present day, of fixing security issues (including some that
   had been handled on (linux-)distros, meaning that membership would have
   been relevant to you) and releasing the fixes within 10 days (and
   preferably much less than that) of the issues being made public (if it
   takes you ages to fix an issue, your users wouldn't substantially benefit
   from the additional time, often around 7 days and sometimes up to 14 days,
   that list membership could give you)
   1.

      Historically we have been following Red Hat releases within 1-2 days,
      and since our shift in June away from following Red Hat we have been able
      to release some security updates ahead of Red Hat (Iperf3 patch and AMD
      microcode/kernel patches specifically). We would not be beholden
to CentOS
      Stream updates for our patch releases.
      4.

   Not be (only) downstream or a rebuild of another distro (or else we need
   convincing additional justification of how the list membership would enable
   you to release fixes sooner, presumably not relying on the upstream distro
   having released their fixes first?)
   1.

      While we've historically done that (which is why it didn’t make sense
      to join earlier), we shifted in June to our own OS that is ABI-compatible
      with RHEL.
      5.

   Be a participant and preferably an active contributor in relevant public
   communities (most notably, if you're not watching for issues being made
   public on oss-security, which are a superset of those that had been handled
   on (linux-)distros, then there's no valid reason for you to be on
   (linux-)distros)
   1.

      we have many participants on the oss-security list.
      6.

   Accept the list policy (see above)
   1.

      accepted
      7.

   Be able and willing to contribute back (see above), preferably in
   specific ways announced in advance (so that you're responsible for a
   specific area and so that we know what to expect from which member), and
   demonstrate actual contributions once you've been a member for a while
   1.

      Immediately we can begin to help reporters ensure their reports are
      following the requirements and are confirmed/replied to. As we
advance our
      understanding of how things operate, and the need arises, we can
expand our
      work into contributing more deeply.
      8.

   Be able and willing to handle PGP-encrypted e-mail
   1.

      done.
      9.

   Have someone already on the private list, or at least someone else who
   has been active on oss-security for years but is not affiliated with your
   distro nor your organization, vouch for at least one of the people
   requesting membership on behalf of your distro (then that one vouched-for
   person will be able to vouch for others on your team, in case you'd like
   multiple people subscribed)
   1.

      Darya Malyavkina from CloudLinux will vouch for us.


-- 
Jonathan Wright
AlmaLinux Foundation
Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.