Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 4 Apr 2008 23:12:33 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: Re: "who shouldn't be on-list"

* [2008-04-04 13:46:11 -0800] Jonathan Smith wrote:

> security curmudgeon wrote:
> | As a new subscriber who did not see specific mention of the desired list
> | population, could you clarify who you feel the list is for, or who should
> | not be on it?
>
> As I see it, the list is for members of the open-source community. Thus,
> to be admitted to the list, you either have to demonstrate that you're a
> developer of a (at least marginally notable) open source project, that
> you're a vendor who redistributes oss, or that you're a security
> researcher who audits or otherwise interacts with oss.
>
> This is, of course, only my opinion and may not reflect the rest of the
> group's ideas.

I think this is a good definition.

Bottom-line would be that this isn't a list for end-users.  End-users or
sysadmins, whatever, could be read-only subscribers... heck, that's no
different than reading web archives.

But to be a "member" of the list, with posting priveleges, I think you
need to be someone who can demonstrate an active role with some OSS --
this does not mean you need to be on a vendor security team, or the
apache/samba/whatever security contact.  You could be a grunt developer
who has an interest in security-related stuff (perhaps good programming
techniques, etc.) and as long as you're a member or developer of some
OSS with a reasonable exposure, then I think you can have a voice on the
list if you like.

Honestly, I think a lot of people will be lurkers... so for them they
never need to progress beyond read-only subscriber.  It's the people who
are interested in security (be it re-active or pro-active) that will
want to be "members" of the list.

Now, having said that, I think the ml subscription can be a lot more
open than wiki editing rights (which is a whole different ball of wax).

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.