Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 25 Apr 2014 21:01:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Request for linux-distros list membership

On Fri, Apr 25, 2014 at 08:16:47AM -0700, Anthony Liguori wrote:
> On 04/24/14 17:34, Solar Designer wrote:
> > So, can someone already on linux-distros and distros
> > please volunteer to keep track of all issues being
> > brought to these lists (yes, all issues - including those
> > that don't affect your distro) and ensure that each one
> > of them promptly gets assigned at least a tentative
> > public disclosure date, that such date is within list
> > policy, that the issue is in fact publicly disclosed on
> > that date, and that the disclosure includes a mandatory
> > posting specifically to oss-security (as well as to
> > anywhere else the disclosing person likes to post)?  If
> > any of these requirements are violated (or are about to
> > be violated), please yell on the (private) list (CC'ing
> > the external reporter of the issue, if applicable) until
> > the violation ceases.  Any volunteer(s)?
> 
> This sounds like a terrible job for a human but a simple job for a
> script.

I wish it were so.  I think it is not.

> I think all it really requires is having an agreed upon way to
> take disclosure dates.

Note that a significant percentage of reports come from external people
(not list members), and a significant percentage of them are reporting
an issue to one of these lists for the very first time.  This is a
reason why they may miss list policies stated on the wiki.  They'd
similarly miss "an agreed upon way to take disclosure dates", and it'd
be a job probably for a human to notice and explain this to them.  Well,
maybe we could have a script notice the start of a new thread and the
lack of a properly formatted proposed disclosure date in the first
message, and that script would send e-mails complaining about that.

> It is then simple to have a script that (1)
> complains when (disclosure date - thread creation date) > max embargo
> period (2) complains when a disclosure date has been exceeded without an
> indication that there has been a public statement.

To detect case #2, it'd need access to archived messages.  Right now,
the list server does not store messages in a form it can decrypt later.

> The nice thing about using on-list tagging is that it keeps all of the
> state on list such that anyone can run the bot on their own.

OK, a list member could run that script, entering their key passphrase
once in a while (such as to read new mail and also to run the checks).

I don't mind you giving this approach a try.  Whatever helps you get the
job done while not putting the sensitive info at too high a risk.

> I would propose we use a system like:
> 
> X-Disclosure-Date: 2014-06-01
> 
> To set/update the disclosure date for a given thread.  To indicate that
> something has been disclosed:
> 
> X-Disclosed-On: 2014-06-02T05:00:00Z

OK.  And you also need a way to indicate whether a posting specifically
to oss-security has already been made.  And someone (also a script?)
should check that a posting to oss-security (on that very issue) has in
fact been made (match by CVE ID mention, assuming there was one assigned?
but sometimes there won't be, e.g. in case an issue is determined to be
non-security, yet per policy needs to be brought to oss-security anyway).

It gets tricky, I think to the point where doing it semi-manually is
better.  We're not processing a huge number of issues.  Tracking the
currently open issues e.g. via a tiny text file is viable.  Someone just
needs to do it consistently.
 
> I can watch threads for now and make sure metadata is getting tagged but
> hopefully over time all list members will participate making it not
> depend on one person.  If no one objects, I'll put something together
> and send out a pointer to the code.

Realistically, I wouldn't expect anyone to use the code that you might
send a pointer to.  I suggest that you start by doing the job yourself,
whether manually or with help of scripts you might write.

As to all list members participating, I think this is overkill and it
won't work reliably, just like it has been occasionally failing so far
(when it's everyone's responsibility, it's also no one's).

I want a specific person (or two, but not many) responsible for this.
We can (and should) ask others to follow list policies, but this doesn't
eliminate the need for some of us to ensure that policies are followed.

Thanks,

Alexander

P.S. BTW, I think it's in fact better if you post from your personal
address, because when you post from your Amazon address your
envelope-from keeps changing, preventing whitelisting.  And there's the
DKIM issue you mentioned.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.