Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Mar 2011 11:19:43 -0500 (EST)
From: R P Herrold <>
Subject: Vendor-sec hosting and future of closed lists

On Tue, 8 Mar 2011, Josh Bressers wrote:

prior content, not from Josh:
>> We would also be willing to host and maintain a closed vendor-sec style
>> mailing list like the previous one with the only condition for member
>> list to be public (not necessarily the individual contact names but at
>> least the entities represented).

I guess I do not see the reason for such a listing.  The list 
that Josh put together from memory does not include the 
distributions I represented and coordinated vendor-sec matters 
for.  Having such a list just offers better target 
identification of those NOT on the list and thus may lag a 
CRD, no?  How is this beneficial?

> There is also the option of recreating an old style list. This is a bit
> more ad-hoc and Openwall has already offered to host such a thing (Solar
> has quite a bit already in place). I do favor this a bit, as it would make
> a nice compliment to oss-security

I favor such as well - I posted an offer to host such pro bono 
as a neutral vendor (centos inherently trails), but it was 
caught up in the trashing of the old vendor-sec host and so 
did not ever pass the old list.  Openwall's offer is fine by 
me as well.   I mentioned adding opportunistic SSL/TLS 
transport on the mailserver, to cut out casual MitM 

> 1) Membership management is a pain. Adding new people is annoying and
>   nobody ever leaves.
> 2) Nobody is in charge, which means sometimes issues can get ignored or
>   forgotten (also see #1)

These track together -- mailman or such will cull dead email 
accounts that bounce of course, but that is a pretty mild form 
of management.  Absent a charter to somehow mandate some 
'contribution' to remain on a list, there is not a clear rule 
to 'weed' the list.  But is this really needed except from 
some idea of avoiding 'too many eyes'?  Frankly running a 
distribution is work and for non-commercial distributions, 
unpaid work

If a criteria for remaining on the list is needed, it is 
needed to make sure that eyes are still reading the content -- 
handle that with a periodic 'tracer' piece, and drop 

-- Russ herrold
 	(centos, cAos)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.