Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Feb 2008 09:06:09 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: xvendor@...ts.openwall.com
Subject: Re: "going public"

* [2008-02-18 10:23:03 +0100] Sebastian Krahmer wrote:

>> The purpose is to discuss cross-vendor (thus the name) issues.  This is
>> not limited to security problems, and indeed it was meant as an addition
>> to vendor-sec to be able to discuss other issues as well - such as license
>> problems with upstream cdrecord or lack of upstream maintenance of cron.
>> Things like that.
>> 
>> > 3. vendors are only willing to post private patches if its a closed list
>> >    and they know who is subscribed
>> 
>> As soon as vendors are releasing their product the patches cannot be
>> "private" anymore, GPL forbids this, and it's the most frequently used
>> license.
>They are private until CRD. And thats the point. That xvendor
>can become something like a 2nd level cache of vendor-sec.

Yeah, but you would use vendor-sec for that.  I think it's quite
intentional that xvendor has no mention of "security" in it (unlike
oss-security, for instance).

As was previously stated, this is a cross-vendor discussion list for
things that affect all distros; Solar used a glibc bug as an example
before.  Not necessarily security-related, but affects most of us.

I think xvendor is less related to vendor-sec than oss-security would
be.  It might be prudent to look at this way:

- vendor-sec: top level security-only private list (embargoed and
	non-public stuff would go here)
- oss-security: mid-level security-only semi-public list (public
	discussion on security issues goes here)
- xvendor: bottom-level non-security public list (public discussion on
	cross-vendor non-security issues goes here)

I feel bad describing xvendor as a "bottom-level" list, but if you look
at in terms of security (which you're obviously doing) then I think it's
an apt description.  xvendor should not be considered security-related
at all and, I think, security topics would largely be off-topic on this
list (that's what oss-security is for).

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.