Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Feb 2012 08:54:50 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: distros & linux-distros embargo period and message format

On Wed, Feb 01, 2012 at 09:17:39PM -0700, Kurt Seifried wrote:
> Is something changing to significantly increase this risk that
> we (the community) are unaware of?

As far as I'm aware, no - it's all the same concerns and reasoning that
we had e.g. 10 years ago.

> You allude to:
> 
> "Why I am making this proposal now: this is triggered by a certain
> off-list discussion I just had; unfortunately, the other party does not
> permit me to post more about it."
> 
> Which is awfully vague.

Unfortunately, yes.  Well, I can add that it's just a person's negative
opinion on what we're doing with these closed lists, with reasoning -
and nothing more.

> I think it's important for there to be openness,
> transparency and honesty in this process or else it won't work.

I fully agree.  However, when someone e-mails potentially helpful
comments to me yet does not permit me to post them to the list, what
options do I have?  Stop the discussion right there - either we discuss
this in public or not at all?  I guess for some topics I would do just
that, but I felt that this one did not cross that line.

> Like you
> pointed out earlier vendors may choose to stop playing together, which
> would REALLY not be good for the vendors or the Open Source community
> long term.

That's my opinion too.

Yet I needed to bring the topic up.  I was not 100% sure that some
vendors currently on the list would find 7-11 days unacceptable.  Being
90% sure was not enough.

I've noticed a decrease in embargo periods over time - I think for
vendor-sec the average might have been 14 days if not more, whereas now
it might be down to 10-12 days or so (excluding the hash DoS thing).
So we turned the old average into the new maximum.  I thought that maybe
we were ready for the "next level" - but it seems not.  Maybe later?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.