Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 00:18:01 +0400
From: Solar Designer <>
Subject: Re: Closed list

On Fri, Apr 01, 2011 at 02:03:12PM -0400, Josh Bressers wrote:
> Openwall has graciously volunteered to run a new list, and they currently
> have some infrastructure in place to do this. The new list can start up
> right away. In this instance, I fear perfect is the enemy of the good. I'd
> rather see something functional in place than nothing.

I've just setup a new list, GPG-re-encrypting as promised.  It's running
on a dedicated machine, no swap, temporary files on tmpfs.  (Yet this is
not any kind of "perfect security", indeed.  Various risks do apply.)

I'd like the list members to start using the list for discussions on
medium severity issues (and only those!) already known to at least one
of the members (reported to or discovered by one of them).  Please keep
any embargo periods as short as reasonably possible (I suggest a maximum
of two weeks, but let's try to make it shorter whenever possible).
Please assume that discussions on the list may be made public at a later
time; don't post anything that you would not say in public when the
corresponding security issues are already public knowledge.

Once we're comfortable with the list for this purpose, we may start to
"open it up" for external postings (such as by security researchers).
Please contact me about this first (as the list admin); I will likely
want to setup a different e-mail address for that (primarily for
anti-spam reasons).

> Initial members will have had to be a vendor-sec member (no exploders this
> time around). You must reply to this thread, in public (on oss-security).
> We want this to be very public, we have nothing to hide. You must have a
> public gpg key ID included in your reply. The new list will gpg encrypt all
> mail (it does accept plaintext messages though).

Right, but I've added to Josh's requirements as described above,
essentially making this a Linux distributions security contacts list
(not exactly what vendor-sec was).  Thus, to be subscribed to the list
now, one has to meet at least all of the following criteria:

1. Be a vendor-sec member (as of the time it ceased to exist).

2. Be on oss-security by the time Josh posted the above (if you did not
care to join oss-security until now, you hardly have a legitimate need
to be on the closed list now).

3. Be a security contact for a Linux distribution.

1 and 2 above are for the initial seed membership only.  These criteria
will become outdated in some months from now.  On the other hand, there
may be additional requirements, such as:

4. For more than two persons per distro, the need has to be explained
(or maybe we should not allow more than two at all).  (We're already at
three persons per distro for some, which bothers me.)

5. The Linux distro should be issuing timely security updates.  This was
a requirement for vendor-sec membership as well (for distros), but I
guess some distros who qualified some time ago (or were otherwise
accepted) no longer qualify now.  We'll need to double-check all.

6. The person(s) subscribed should be active on oss-security and/or on
the new list (if already subscribed).  We may choose to unsubscribe
silent members (of course, we'll notify them first), assuming that they
are either not paying attention to discussions (and thus the risk
associated with them is unjustified) or they're not really into security
(which is why they have nothing to add to discussions).  Of course, such
assumptions may be wrong.  Yet this "cleanup" approach was (lightly)
applied on vendor-sec on some occasions.

I do recall that a NetBSD person mentioned that *BSD's should not be
left out, and I agree, yet based on what I saw during the month without
vendor-sec, only the Linux distros really cared for such a list.  This
lack of vendor-sec resulted in some ad-hoc long CC: lists on some
security issues.  So I am trying to improve upon what we had with
vendor-sec, as well as upon what we had during the month without
vendor-sec.  Starting a new vendor-sec equivalent (with *BSDs, some
non-distro folks, etc.) as the only new list would not obviously be an
improvement over having no such list at all, so I am not doing it yet.

I have no problem setting up a BSD distros list if there's demand.
CC'ing a discussion to two lists when appropriate isn't that hard.  For
now, I think we can be CC'ing the major BSD's security contacts when we
determine that they need to be aware of an issue discussed on the Linux
distros list.

Ditto for a researchers list and/or for inviting individual researchers
to discussions.

Josh - I subscribed you to the new list per your off-list request (with
info on your new PGP key), but I think you should follow your own rule
and post such a request to the list. ;-)

As to me, I'd like to be on the list representing Openwall and also as
the list admin (maybe we need more admins, to be discussed soon).  I'm
already subscribed. ;-)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.