Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 May 2011 12:12:01 +0200
From: Tomas Hoger <>
Subject: Re: Closed list

On Mon, 2 May 2011 22:40:46 +0400 Solar Designer wrote:

> A secondary goal behind requiring access to advisories and updates
> (not just metainfo) would be to be able to draw the line between
> vendors and companies that build their own Linux distros in house.
> The latter could also publish an RSS feed showing how they update
> their packages, yet they would not be a vendor to anyone other than
> themselves...  On the other hand, publishing updates without
> publishing the distro itself doesn't make them more of a vendor to
> others.  So to achieve this goal we'd probably need to require the
> distro itself to be public (in at least one form - e.g., Red
> Hat's .src.rpm's are sufficient), not just advisories and updates.

I think we are likely to need exceptions to the "open as RHEL srpms"
requirement.  It seems SUSE's SLE would not satisfy it (see
distro-patches wiki), and I'm pretty sure we'd not benefit from not
allowing SUSE folks, or asking them use the list info for OpenSUSE, but
not for SLE.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.