Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Jun 2008 11:46:30 -0800
From: Jonathan Smith <>
Subject: Re: tool announcements

Hash: SHA256

Solar Designer wrote:
| Also, I am not on full-disclosure -
| should this prevent me from being a moderator for oss-security, or do I
| have to subscribe to full-disclosure?

I don't think so, no. I actually gave up on FD recently as well, given
the ever-decreasing signal-to-noise ratio.

I should clarify; I don't actually mind cross-posting, so long as the
content is appropriate on all the lists posted to. I just don't,
personally, believe announcements should be on-topic on oss-security.

| Maybe.  However, many topics are valid on Bugtraq - not only Open Source
| ones.  I imagine that someone could be interested in security tool
| announcements relevant to Open Source software only.  Also, Bugtraq is
| so large that few of us would dare to bother its readers with
| announcements of new versions of a tool, even fairly major ones.

Maybe part of the problem is that I'm not that interested in new tools.
The ones I currently have work well enough, and I can only spend so much
effort learning new stuff, and there are more interesting new stuff to
learn :)

| Maybe we need to setup a new oss-sectools list, but I'd rather not go
| for it until we start to receive a substantial number of security tool
| announcements in here.

Sounds good.

| As to "sparking discussion", it is impossible to know that in advance.
| Yes, you wrote "designed to ..." - does ending a post with "comments,
| please?" qualify?  If so, that could be used on any announcement - even
| on a mostly-PR one.

Eh. I'd still lean "no" here. It doesn't seem very likely that "new
version of $my_package released with shiny new stuff" is going to
generate useful discussion. If, on the other hand, the author of the
tool emails the list asking for comments on a new method of
vulnerability scanning or similar, which may have been recently added to
his/her toolkit, that seems quite germane.

| Also, what about those CVE requests - is a single response, assigning
| the CVE number, "discussion"?  OK, in some cases people actually have
| comments.

Good point. CVE assignments to oss software clearly belong on-list since
they help us all by not duplicating work, even if they aren't strictly

| Of the existing lists, Bugtraq is probably the place for PR.


| However, some tools could be of specific relevance to oss-security
| members - e.g., source code analysis tools and fuzzers.  Do you agree?


| Is a moderator supposed to decide whether or not this is the case?

Well, I'm not sure. Not being a moderator, I don't know how much work it
really is. *If* it is a relatively low workload, I think weeding out the
not-as-relevant announces would be very valuable.

|> So, was this message, and "SQL_injection detection tool released" held
|> for moderation?
| Yes, they were.

Good to know.

| I don't regret approving these messages - I think that we're having
| useful discussion as a result, and I think that it was important for
| this group's members to be aware of what was coming to the list (except
| for spam).  Let's say that these two messages are "samples" of content
| that we might or might not want in here.
| My opinion is that moderators are not supposed to define the list's
| policy on their own - and we did not (and still do not) have this bit of
| policy fully defined.  So let's try to take care of that now, or I would
| not know what to do if more messages like these two arrive to the list.

Agreed. I wasn't intending to pass judgment on the moderators, just

For now, I'll concede that there isn't enough traffic to justify forming
a new list. Consequently, I suppose I'm in favor of keeping them
on-list. When/if the announcement traffic level changes, perhaps we
should revisit.


Version: GnuPG v2.0.9 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.