Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 3 Apr 2011 19:32:52 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: Benji <me@...ji.com>
Subject: Re: Closed list

On Sun, Apr 3, 2011 at 6:58 PM, Benji <me@...ji.com> wrote:
> This is pathetic. You've all just made your personal and 'work' email
> addresses targets by having a ridiculous public 'signup' system, and
> the fact you all feel the need to hide behind some sort of veil for
> security issues.
>
>

Do you really think anyone is gaining new information by discovering
that, say, a member of the security team for a major distro will be on
this mailing list?  Such information seems pretty obvious to me.

I think this thread is useful in the interest of transparency, which
was sorely lacking with the previous incarnation of vendor-sec.  And
with regards to enforcing embargoes for security issues, I'd think you
would have better people to complain to a security community that
tends to only enforce embargoes for days or occasionally weeks, and
only for more serious issues, as opposed to the months or years that
issues may go unfixed in the commercial software world.  While
delaying security fixes unnecessarily is harmful to users,
coordinating fixing over a short timeframe such that major
distributions can release updates simultaneously seems like common
sense, not "hiding being some sort of veil".

-Dan

>
> On 4/3/11, Solar Designer <solar@...nwall.com> wrote:
>> Mike,
>>
>> On Fri, Apr 01, 2011 at 06:58:52PM -0400, Mike O'Connor wrote:
>>> pub    512R/205BBF7D 2001-12-30
>>>       Key fingerprint = 8F 85 89 E1 A2 FC EB D2  27 49 56 1E CC DF C9
>>>       C1
>>> uid                  Michael J. O'Connor <mjo@...o.mi.org>
>>
>> I've subscribed you with this key for now, but you really ought to
>> upgrade to a larger key, and I'd appreciate a statement on what Linux
>> distro you represent on the new list.
>>
>> All: my decision is based on some info known to me, but I'd prefer to
>> base it on Mike's posting to oss-security.  I am saying this to explain
>> that there's a reason why I subscribed Mike, whereas I would not
>> subscribe another "random" person posting the same kind of message from
>> a personal address. ;-)
>>
>> Alexander
>>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.