Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Mar 2011 19:12:24 +0100
From: Marcus Meissner <>
To: OSS Security List <>
Subject: Vendor-sec hosting and future of closed lists

Hi folks,

As moderator of vendor-sec and one of the sysadmins of I noticed
a break-in into the machine last week, which was likely used to
sniff email traffic of vendor-sec. This incident probably happened on Jan 20
as confirmed by timestamp, but might have existed for longer.

As the system in use at is quite old and the admin team and myself
does not really have the time anymore to keep it on a secure level, we
would like to move the list to another hosting place.

I have disabled the specific backdoor, but as I am not sure how the
break-in happened it might reappear. So I recommend not mailing embargoed
issues to at this time.

I have asked Solar Designer if he could take over hosting, and he was agreeing,
including a full GPG crypted setup.

However we found during this brainstorming that changes in the setup
of the vendor-sec list likely are good at this point in time.

The number of subscribers is high, and probably 80-100 people get vendor-sec
emails, making leaks by members always a possbility.

Also the usefulness of v-s in general has a bit diminished, especially with
oss-sec present and more active and more involved upstream projects doing
their own management. Mark J Cox has some stats for Redhat updates showing this.

(To use the threadmill metaphor, v-s does not help us vendors as much
with the speed of the patch threadmill as it did 5 - 10 years ago.)

So I would like to open up a discussion with _all_ OSS Security folks present.

- Is a closed vendor coordination like vendor-sec still needed at this time?

  Meaning: does the benefit of a closed group really outweigh the
  "left out feeling" of non members and its annoyances?

- If yes, would it be an idea to confine or split into lists of focus groups?
  (like Linux vendors, BSD vendors, all OSS source using vendors, etc?)

- Or of course the old option is open:
  Should we proceed with the current state as-is, but throw a bit more
  GPG encryption on top?

- What other options do we have or should we pursue?

At least SUSE, Redhat and Openwall are open for discussion.
Please discuss :)

Ciao, Marcus (vendor-sec moderator)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.