Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTin0XNE-Uv8fMdt25FPe9CtbDVhKnA@mail.gmail.com>
Date: Mon, 4 Apr 2011 14:35:30 +0100
From: Ben Laurie <benl@...gle.com>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>
Subject: Re: Closed list

On 3 April 2011 22:33, Solar Designer <solar@...nwall.com> wrote:
> Ben,
>
> On Sun, Apr 03, 2011 at 10:06:03PM +0100, Ben Laurie wrote:
>> OK, but ... I wasn't on vendor-sec, but (IMO) am at least as qualified
>> as most of the people who were. Now what?
>
> What do you propose?
>
> In what capacity do you feel you're qualified?

FreeBSD committer, core contributor to various "OpenSource projects
with a large user base and/or high security exposure"

> Don't get me wrong, I have a lot of respect for you - in fact, in my
> sysadmin role, I am flattered that you'd want to be on a list I setup.
> I just think that you providing answers to the questions above will help
> the discussion.  I don't know what your answers would be (I can try to
> guess, but I might be wrong).  I do think that you might propose
> something we have not yet thought of.

I'm not sure I have a helpful proposal, but closed security lists have
always made me somewhat grumpy. Basically, it seems to me that there
are two major problems with them:

1. People who "ought" to have the information don't, because they're
not on the list.

2. People who "ought not" to have the information do, because they are
on the list.

So my general inclination is to at least fix this problem for myself,
by being on all the lists :-)

Yes, this doesn't fix problem 2 - so sorry: my general stance on this
is that it is really impossible to say who "ought" and "ought not" to
have security info. I hear all sorts of noises about vendors being in
the "ought" camp and end users in the "ought not", but that makes no
sense to me: vendors only "need" to be on the "ought" list because
they're a roadblock between the software authors and the end user.
They should just fix that problem. In any case, who is a "vendor". I
build all my s/w from source, pretty much. Am I therefore a vendor (to
myself)?

Alternatively, I "ought" to be on the list because history has shown
that a) I can sometimes do something useful about the problem and b) I
can be trusted with the information. Maybe that's a better way to run
a list, I don't know.

>
> The vendor-sec membership requirement was just for the initial seed
> membership of the new list.  Its purpose is to ensure we're not making
> things worse in terms of pre-CRD leaks, at least not right away. ;-)
>
> As you can see from another message I posted, I've only setup a
> Linux distros list for now, which lets us side-step the issue of
> comparing one security researcher vs. another for membership of that
> list.  I'd be happy to setup a separate list with only security
> researchers on it, and we can ask folks to CC that list whenever a
> discussion on the Linux distros list is expected to significantly
> benefit from participation of the researchers.
>
> I'd be happy if you have a better proposal.
>
> Thanks,
>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.