Date: Sun, 24 Apr 2011 15:30:29 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list On Wed, Apr 20, 2011 at 10:19:01PM -0700, Drew Yao wrote: > It seems that you're not opposed to Apple's inclusion on the list. Would you reconsider and allow us on the list? Personally, I'd be happy to invite Apple, *BSD's, and Google security folks to have a sit at the table. Since Google doesn't release a Linux distro for others to use, this precedent probably means subscribing MontaVista and Wind River without any requirements on them making advisories, updates, or whatever public. However: - It'd be difficult to draw the line. What about Solaris distros, etc? - Only two issues were brought up on the new list so far, and as far as I can tell both are Linux specific. - We've already seen some opposition to MontaVista with its current non-public advisories being on the list. And I assume the same would apply to Wind River. - Sorry, I am not speaking of just Apple here. I am still trying to avoid/postpone the "elite club" thing, where current members would vouch for or veto new members. Maybe we'll be forced to arrive at that eventually, but I think this would be a drawback. Thus, I am leaning towards setting up a second list, not limited to Linux. And maybe a third list, for "closed" Linux vendors. Then message senders will be able to decide who they want to inform. (If there's any demand, we may also setup a list excluding Linux, but so far I haven't seen any interest in that.) > In an earlier mail, you mentioned > "For just one vendor, we can be CC'ing you whenever appropriate, with no list needed." We ship a lot of open source software, and outside of Apple, very few people would be qualified to know whether or not we ship any given piece of OSS, especially since we sometimes add new projects to the next, unreleased version of Mac OS X. Fair enough. I'll e-mail you with names of the two components mentioned on the new list so far such that you can confirm they're indeed of no relevance to you. > Regarding the question of where to draw the line for allowing non-Linux distros to the table, I'd say we've earned our place by sending numerous internally discovered bugs to vendor-sec, as well as coordinating disclosure of open source projects like CUPS that we maintain. Yes, you did. However, as soon as we lift the "was a vendor-sec member" requirement for membership of the new list, which we'll need to, we'll have subscription requests from vendors who couldn't have possibly earned their place in this specific way. So we won't be able to use this as a requirement, or doing so would be unreasonable. > We'd want both me and <Jeffrey Czerniak <jeffcz@...le.com> on the list, both using the PGP key found at https://www.apple.com/support/security/pgp/ Thanks for the info. I'll save your message to a separate folder, to return to it when setting up a suitable list or/and when we have some other solution or policy. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.