Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 Jun 2014 22:37:57 -0700
From: Russ Allbery <>
Cc:,  Monty Ijzerman <>
Subject: Re: Request for linux-distros subscription

Ramon de C Valle <> writes:

> By fixing in advance, I mean to have the fixes/updates ready by the time
> the vulnerability is publicly disclosed. (However, in the case of cloud
> services, we may not have how to know if the fix was, in fact,
> applied/made in advance.)

This is obviously of huge business value to VMware as a company.  I'm
missing how your ability to do this for your product is of value to the
open source community, however.  What is VMware bringing to the table here
in terms of value provided to the other members of linux-distros due to
having VMware as a member?

This is an honest question.  There may well be substantial value that I'm
not seeing.

Alternately, I could also understand if your argument is that this is not
the calculus that was used to judge other, current members, or that the
criteria for membership should be the simple question of whether the
organization uses Linux and related software and would benefit from
advance notification of security vulnerabilities.  (By that argument,
other organizations, such as Apple, should also be eligible for

An aside: I personally, speaking as someone who is not a member but who
has reported embargoed security vulerabilities to linux-distros in the
past and doubtless will in the future, would prefer to restrict
linux-distros membership to the organizations that are actively
contributing to the security of open source software in ways beyond simply
redistributing it.  In other words, I would prefer if linux-distros were
restricted to only organizations with active security teams and a track
record of finding vulnerabilities, developing fixes, coordinating security
fixes among open source distributions, or contributing substantially to
those groups that are doing so.

I view advance notification as a valuable courtesy to help Linux
distributions make their products more secure, and would prefer to only
extend that courtesy to those organizations who have contributed something
back to the community of which I'm part.  Organizations that choose not to
contribute substantially can receive notification at the same time as the
general public.

This is a possibly idiosyncratic opinion, and I know it is not the current
criteria for membership.

Russ Allbery (              <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.