Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jan 2014 04:29:13 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: rf@...eap.de
Subject: Re: linux-distros membership

Hi Roland,

On Mon, Jan 20, 2014 at 05:36:27PM +0100, rf@...eap.de wrote:
> >>>>> "Yves" == Yves-Alexis Perez <corsac@...ian.org> writes:
> 
> Thanks again Yves. Unfortunately this doesn't help me with getting the timely
> reports about kernel security bugs from the linux-distros list. Can
> somebody, who knows the details of the process, please answer what we need
> to do, to get on the list?

Given that you seem to be interested only in Linux kernel vulnerabilities,
I think you're overestimating the value that being on linux-distros
will provide to you.  There are more Linux kernel vulnerabilities being
disclosed on oss-security right away (yes, in public) than those that
pass through linux-distros first.  Yet you were not on oss-security
until after you've posted the request to join linux-distros a week ago.
Did you not actually care?  Or was someone else from Qlustar subscribed?

Asking to join linux-distros before you've been on oss-security for a
while (and preferably, having contributed to the discussions in here) is
putting the cart before the horse.

I did not count them carefully, but I think there are relatively more
non-kernel vulnerabilities passing through linux-distros (than kernel
ones).  Actually, it might be the same ratio as on oss-security, with
the difference being that on oss-security you're not unnecessarily
exposed to additional sensitive info.

Unfortunately, we don't currently have a sub-list for just Linux kernel,
and if we set one up it might not work all that well (we already saw
some confusion with having distros and linux-distros; adding a third
list might make it worse).

I found Qlustar security advisories here:

https://www.qlustar.com/security-advisories

This is great, although I guess in "a Ubuntu/Debian based distro" there
are many more vulnerabilities being discovered.  How do you choose which
packages to issue advisories for?  Are they possibly the packages that
differ from Ubuntu/Debian (that is, that have your customizations)?
At first glance, it appears that about one half of your advisories are
about the kernel.

Would having about 7 days of advance notice (and at most 19 on some
occasions, per list policy) on a small subset of Linux kernel
vulnerabilities be of much help in preparing update packages?  Would it
significantly reduce the window of exposure for your users?  e.g.,
reducing it from 8 days to 1 day is significant, but from 30 days to 23
days is much less so.

As to "the details of the process", we don't currently have it fully
formalized.  We did have a simple process for accepting a subset of
old vendor-sec members into the distros and linux-distros lists, but
after that point I'm afraid we never arrived at a decision on whether we
should introduce a voting/vouching process like vendor-sec had.
Instead, we had a few discussions in here, like the one we're having now
due to your request.  There were several membership requests that I
think fell in the grey area, and I think yours does too: it's not
unreasonable, but it fails to convince me that Qlustar being on
linux-distros would likely significantly benefit the users of your
distro.  Is anyone else in here convinced?  (Genuine question.)

Among the criteria we do have is the distro issuing timely security
updates and advisories.  Qlustar appears to do that, although only for a
subset of packages, and I'm unsure how timely the updates are (e.g., if
they're late by 30 days, then reducing that by ~7 days doesn't help all
that much, as in the example above).

Of the distros currently on the list, I find it most difficult to
justify (to myself) the membership of MontaVista and Wind River.  (This
was discussed before.)  Qlustar appears similar in some aspects, but
without a track record (known to me) of having participated in the
security community (which both MontaVista and Wind River have).
In fact, I don't recall hearing about Qlustar before (and Google web
search finds very little, too).

Are Qlustar's security updates (not just security advisories) publicly
available?

Let's discuss.  Roland, your own opinion counts too - it's not just you
trying to justify this to the rest of us, but it's us all (including
you) trying to arrive at what's deemed the best decision.  We have a
community here on oss-security, and you're welcome to join us and
participate in discussions regardless of whether Qlustar gets on
linux-distros or not.

Meanwhile, please add Qlustar info to:

http://oss-security.openwall.org/wiki/vendors

>     >> >> I hope this is the right place to ask for inclusion of a
>     >> >> Qlustar contact in the linux-distros list.

Yes, it is the right place.

>     >> >> Qlustar is a Ubuntu/Debian based distro targeted at
>     >> >> HPC/Storage/Cloud clusters. We use our own kernels (typically
>     >> >> based on vanilla) since many years, but have the need to
>     >> >> supply timely security fixes to our users. So far we have to
>     >> >> wait for other distros to come out with their announcements
>     >> >> and then start analyzing the fixes they have done. This leaves
>     >> >> us/our users with a vulnerability window that is way too
>     >> >> large,
>     >>
>     >> > I can't speak for Ubuntu, but you're welcome to participate in
>     >> > the Debian security effort.
>     >>
>     >> thanks a lot for your offer. Could you explain a little more what
>     >> participation in the Debian security effort would mean? Note that
>     >> the issue I currently have is mostly about kernel fixes and we
>     >> don't use Debian nor Ubuntu kernels.
> 
>     Yves> Most of the documentation can be found in the secure-testing
>     Yves> repository [1] and on the Debian wiki [2].
> 
>     Yves> [1]:
>     Yves> http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=markup
>     Yves> [2]: https://wiki.debian.org/Teams/Security

Alexander

P.S. Somehow your replies arrive as entirely new messages, not as
replies to whatever message you're replying to.  They lack proper
In-Reply-To header.  It'd be helpful if you correct that (for further
replies), as it is needed for proper threading in the list archives.
Normally, In-Reply-To is set if you simply use your mail program's
"reply" feature.  I don't know why this was not happening for you.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.