Date: Tue, 8 Mar 2011 11:19:43 -0500 (EST) From: R P Herrold <herrold@...river.com> To: oss-security@...ts.openwall.com Subject: Vendor-sec hosting and future of closed lists On Tue, 8 Mar 2011, Josh Bressers wrote: prior content, not from Josh: >> We would also be willing to host and maintain a closed vendor-sec style >> mailing list like the previous one with the only condition for member >> list to be public (not necessarily the individual contact names but at >> least the entities represented). I guess I do not see the reason for such a listing. The list that Josh put together from memory does not include the distributions I represented and coordinated vendor-sec matters for. Having such a list just offers better target identification of those NOT on the list and thus may lag a CRD, no? How is this beneficial? > There is also the option of recreating an old style list. This is a bit > more ad-hoc and Openwall has already offered to host such a thing (Solar > has quite a bit already in place). I do favor this a bit, as it would make > a nice compliment to oss-security I favor such as well - I posted an offer to host such pro bono as a neutral vendor (centos inherently trails), but it was caught up in the trashing of the old vendor-sec host and so did not ever pass the old list. Openwall's offer is fine by me as well. I mentioned adding opportunistic SSL/TLS transport on the mailserver, to cut out casual MitM eavesdropping > 1) Membership management is a pain. Adding new people is annoying and > nobody ever leaves. > 2) Nobody is in charge, which means sometimes issues can get ignored or > forgotten (also see #1) These track together -- mailman or such will cull dead email accounts that bounce of course, but that is a pretty mild form of management. Absent a charter to somehow mandate some 'contribution' to remain on a list, there is not a clear rule to 'weed' the list. But is this really needed except from some idea of avoiding 'too many eyes'? Frankly running a distribution is work and for non-commercial distributions, unpaid work If a criteria for remaining on the list is needed, it is needed to make sure that eyes are still reading the content -- handle that with a periodic 'tracer' piece, and drop non-responders -- Russ herrold (centos, cAos)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.