Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 5 Apr 2008 01:08:58 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Andrea Barisani <andrea@...ersepath.com>
Subject: Re: announcing oCERT & oss-security to Bugtraq & f-d

Josh, Vincent, Jonathan - thank you for commenting on this so promptly!

Andrea - it appears that the oCERT announcement should be separate, then.
Please go ahead with it, and feel free to mention oss-security in passing
as a group that oCERT intends to work with, as Vincent suggested.  I'm
not sure if it's appropriate to include a link to the oss-security wiki;
I would do it, but Vincent suggested that we make "the intelligent" use
Google instead (and not invite the rest to our wiki just yet).

> Vincent Danen wrote:
> | I don't have a problem with it being announced at the same time, but I
> | do think that one day is pretty short notice to draft a decent
> | announcement (i.e. something that won't result in a "why do we need
> | another ml like fd or bugtraq" barrage of postings),

Good point, and I am sorry for the short notice.  To me, this was
expected, but I failed to notify the oss-security group of this
possibility earlier.  I did not expect that the press would pick oCERT
up before the Bugtraq & f-d announcement, though - and this is now a
reason for not delaying the announcement anymore.

> | because we need to
> | figure out the best way to do this so we don't get people like "n3td3v"
> | coming to the list.

Maybe it's OK if they come to the list, but are unable to post - or get
kicked out.

On Fri, Apr 04, 2008 at 12:08:07PM -0800, Jonathan Smith wrote:
> I've got to agree with Vincent here. We didn't have much heads-up about
> this. Having folks on-list who shouldn't be was my main concern with
> oss-security to begin with, and posting the list to the masses (at this
> point in time) isn't going to make that easier.
> 
> That being said, we need to figure that out before oss-security can be
> useful to a broader range of people and projects.

OK, can we please start figuring this out, then?  Once there's consensus
or an obviously prevailing opinion in this group, Openwall is going to
re-configure the list as it will be agreed upon, and everyone can edit
the wiki to reflect that.  Then we'll be ready for a "big announcement",
right?  Or do we want to work on the wiki content more first?  Or maybe
tighten up the wiki settings?

Let's just not leave things undefined and non-announced forever.  If
oss-security is successful, and it appears that it is, it will become
known anyway - but possibly with more confusion around it if we don't
announce it ourselves.

> | I think we should activate membership moderation before we make a big
> | public announcement for exactly this reason.  Which is why we need more
> | than one day... this needs to be discussed amongst members and needs to
> | be noted in the announcement (to keep the idiots from trying to
> | subscribe and then us having to punt a bunch of them after the fact).
> 
> Yep. But, I still think we should allow read-only memberships without
> moderation. Having to read oss-security through rss or a web interface
> would be frustrating.

I agree with Jonathan on this.

As to whether to enable message pre-moderation for list members before
the announcement or only when we really have to, I am not sure.  I'll
let others decide.

Thanks again,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.