Date: Mon, 4 Apr 2011 22:54:27 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list On Mon, Apr 04, 2011 at 07:32:12AM +0100, Benji wrote: > Can I not be part of the group that thinks a public signup system for a > mailing list that previously had the mail server owned due to the fact it > was secret (showing interest in possibly owning users now that emails like > mjo@...o.mi.org have been confirmed on the list) for a mailing list that is > 'embargoed' when really it shouldn't be. What do you mean by: "a mailing list that is 'embargoed' when really it shouldn't be"? Does this mean that you're actually against the very existence of such a list? I think it is important to know your opinion on the main issues when we consider your opinion on the detail. > >>What is your opinion on making the list's archive public with a delay (when the corresponding security issues are already public)? > > It would be better. In my opinion, delay would be 1-2 days. What use is a delay of 1-2 days for members of such a list? I mean, it is of some use for high severity issues where the vendors would need to throw whatever resources they can at resolving the issues ASAP, at expense of slowing down work on other tasks (including other security related tasks) and likely arriving at and releasing non-final fixes (more like workarounds). However, my proposal, which I am going to try to enforce, is to only discuss medium-severity issues on this new list. I think that an embargo period of 1-2 days does not make sense for those; if that's all we can afford, we can as well make them public right away. > Vendor-sec > (alternatives) should be a last resort in publishing issues, other projects > don't get the same "privileges", and have to "make do" with oss-sec. If you > really need such help 'co-ordinating' and fixing things, maybe you should > have a policy to, release advisory/info first, then have a 'co-ordination' > list. No offense intended, but it sounds like you did not give the above much thought, or maybe you did not explain it fully. That said, I agree that a closed list should be a last resort, to be used whenever other options are determined to be less appropriate for a particular security issue. Unfortunately, this determination is usually made by just one person (whoever brings the issue to the list), so it is likely to sometimes be "wrong". > >>Do you really think anyone is gaining new information by discovering > >>that, say, a member of the security team for a major distro will be on > >>this mailing list? Such information seems pretty obvious to me. > > Yes Dan, but now we have private email accounts as well (by people who > apparently don't like to use vendor email addresses) that are also signed up > to this, allowing targeting and easy identification Yes, we lost a security through obscurity layer here, which was arguably nice to have. I don't have strong feelings either way (public subscriber info or not-right-away). BTW, most of those same e-mail addresses were already exposed to whoever broke into the vendor-sec machine. > of probably less secure infrastructure. My guess (based on partial knowledge) is that Mike's personal e-mail infrastructure is actually more secure than his employer's. You have a valid point in general, though. > Excuse my "trolling" if some of this has already been covered, I'm up early > (for me) and thus can be slightly unintelligible. It's OK. In fact, comments/criticism such as yours is one of the reasons why we're handling this discussion in public. This might enable us to arrive at something slightly better "next time". Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.