Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 4 Jun 2014 23:01:00 -0700 (PDT)
From: Ramon de C Valle <rdecvalle@...are.com>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, 
	VMware Security Response Center <security@...are.com>, 
	Monty Ijzerman <mijzerman@...are.com>
Subject: Re: Request for linux-distros subscription

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- ----- Original Message -----
> From: "Greg KH" <greg@...ah.com>
> To: oss-security@...ts.openwall.com
> Cc: "Solar Designer" <solar@...nwall.com>, "VMware Security Response Center" <security@...are.com>, "Monty Ijzerman"
> <mijzerman@...are.com>
> Sent: Thursday, June 5, 2014 2:23:25 AM
> Subject: Re: [oss-security] Request for linux-distros subscription
> 
> On Wed, Jun 04, 2014 at 10:07:34PM -0700, Ramon de C Valle wrote:
> > Hi Greg,
> > 
> > - ----- Original Message -----
> > > From: "Greg KH" <greg@...ah.com>
> > > To: oss-security@...ts.openwall.com
> > > Cc: "Solar Designer" <solar@...nwall.com>, "VMware Security Response
> > > Center" <security@...are.com>, "Monty Ijzerman"
> > > <mijzerman@...are.com>
> > > Sent: Thursday, June 5, 2014 1:09:29 AM
> > > Subject: Re: [oss-security] Request for linux-distros subscription
> > > 
> > > On Wed, Jun 04, 2014 at 12:33:13PM -0700, Ramon de C Valle wrote:
> > > > Hi Alexander,
> > > > 
> > > > > On Tue, Jun 03, 2014 at 01:16:47PM -0700, Ramon de C Valle wrote:
> > > > > > I can attest that Monty is my colleague and the Manager of VMware
> > > > > > Security
> > > > > > Response Center. As a former colleague of you (Kurt) and also
> > > > > > former
> > > > > > linux-distros subscriber, I would like to ask for your
> > > > > > consideration
> > > > > > for
> > > > > > subscribing Monty (or myself) to linux-distros on behalf of VMware.
> > > > > > Although ESXi isn't a Linux distribution, it implements
> > > > > > Linux-compatible
> > > > > > system calls and provides a GNU/Linux -like ecosystem that allows
> > > > > > many
> > > > > > applications that are compiled on/for Linux operating systems to
> > > > > > run
> > > > > > seamlessly. This ecosystem includes OSS that should be supported in
> > > > > > timely
> > > > > > fashion pretty much like like any other Linux distribution on the
> > > > > > list.
> > > > > > It
> > > > > > also implements a Linux kernel module interface and uses many Linux
> > > > > > device
> > > > > > drivers and kernel modules that also should be supported. In
> > > > > > addition,
> > > > > > ESXi is the base layer that many of the Linux distributions on the
> > > > > > list
> > > > > > rely upon and run atop of in many datacenters around the world.
> > > > > 
> > > > > Thank you, Ramon.  This is pretty good rationale, but I feel that
> > > > > getting VMware onto linux-distros for the reasons given above would
> > > > > be a
> > > > > (possibly desirable) change in who the list is for.  So far, it's
> > > > > been
> > > > > for Linux distros, and I deliberately chose the linux-distros name
> > > > > for
> > > > > it.  Now a non-Linux-distro wants to be specifically on linux-distros
> > > > > (not just on distros), and be exposed to Linux-specific vulnerability
> > > > > details (albeit for good reasons).  I'd appreciate comments by others
> > > > > active in this community.
> > > > I'm afraid I can't comment on Greg's comments due to my lack of legal
> > > > understanding. However, in addition to the reasons explained above and
> > > > also Alan's comments (which, IMO, also add to our reasons), I'd also
> > > > appreciate comments by others active in this community and would be
> > > > happy to answer any questions anyone might have.
> > > 
> > > Ok, let's keep this on a purely community basis, no legal issues
> > > involved (to quell the tide of private emails about this as well.)
> > > 
> > > Your company takes the Linux kernel drivers (a large majority of the
> > > Linux kernel source tree) and builds a product around it, while refusing
> > > to contribute back to those drivers.  What you are doing has been
> > > explicitly stated as something you should not be doing by a number of
> > > community members.  Somehow you feel that your tiny "core" of a custom
> > > kernel is more important than the larger body of community work you are
> > > relying on in order for that core to work properly.
> > I'd appreciate any references to back the "a large majority of the
> > Linux kernel source tree", "while refusing to contribute back to those
> > drivers", and "tiny "core" of a custom kernel" statements if you want
> > me to make any comments.
> 
> You referenced it above in your statement about why you want to be part
> of the group.  You write:
> 	It also implements a Linux kernel module interface and uses many
> 	Linux device drivers and kernel modules that also should be
> 	supported.
> 
> That Linux kernel driver codebase is huge, and odds are, much larger
> than the core kernel you are linking it to (just by the virtue of the
> fact that the Linux kernel core is much smaller than the driver portion
> of the source tree you are using.)  If I'm wrong in that your kernel is
> much larger than the drivers being used here, well, you all are doing
> something wrong :)
It wasn't said that we use every Linux kernel driver in the Linux kernel source tree; And you're also assuming that the only thing that is shipped in our product that is developed by us is the kernel core.

> 
> > > Because of this reliance on that large body of code, you are now asking
> > > to be notified ahead of time about vulnerabilities in that code base by
> > > the same community members you are ignoring in the first place.
> > Same for "Because of this reliance on that large body of code".
> > 
> > > 
> > > Does that seem like a fair thing to be asking for?
> > > 
> > > To me it does not, but feel free to persuade me otherwise.
> > My intention isn't to persuade anyone.
> 
> Well, as that is what you are supposed to be doing in order to get
> admission, it seems odd that you don't intend to do this.
Like I said, my intention isn't to persuade anyone. If everyone thinks that we shouldn't be subscribed to linux-distros, that's fine.

> 
> > If everyone thinks that we shouldn't be subscribed to linux-distros,
> > that's fine. I just would like a fair reasoning of why not, instead of
> > biased and emotionally-filled comments.
> 
> Taking emotions out of humans and decisions causes other major problems,
> don't try to do that.  On the linux-distro list, you will have to be
> interacting with (well, supposed to be) the humans of those open source
> projects in order to address the issues found on the list.  Those
> community members are actual people with emotions and histories of
> dealing with companies in various manners.  If you somehow think that
> they will not react in ways that they feel are in the best interest of
> their project's long-term interests, well, then you are forgetting how
> open source communities work.
> 
> thanks,
> 
> greg k-h
> 
- --
Ramon de C Valle
VMware Product Security Engineering
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJTkAeNAAoJEMHrzpMNBOIMFqIQAJnalhlQSDsct4MPeSZqtvRP
c0CEUFvT3k/O/sTnkJiIEsyC4p1dxCeE7tDPm9Vpz3xVLrIEgwG3NpqoU8V2YAz1
zKn3Gl2GRavn6OyGK1tZl77a6PxlHb99Mp+KW+1YdS5wuIqfzg3WkDU0yHHwEdyP
y9zGccqoiP9DK5SkxN8HoCdTrQ81JAGxkqOzMLVCo2EiUeu2yh7Yf1o71LlO7zQb
MXWmYwRl5Pu82BAhncht2Ub2NAy9yjjhyPtgZrLjdSY2WoZBFFSGRsc/D5y7+vNn
CTgBDmakn4uZQBHtZnyVxt/hqTX5u8MTKHDIKxJMYB0NgSziGFXQBsdu3bf3Q2/U
VHBkGnCQSA0Dfb1MbrEd5gop0wzwdjvYRtkFGixUvG9DDgqYMrI2xJI6tdoVhu5H
eUctvue/LT7AITY2ODy/sdp+MbhMsuhaQAjXWcDfkaEMIFpNY0GH4MaqmNntaXxg
YRbhAjCMsxZ1YB6O32V7wd5aiNQGKWNk9/zEonjYRrc6ISMlnDzW6abKv6SW6h3K
LRWA9mXb9xfWu+tPhg2244uzsQtCWkFy9+t4fX36/yAgmiGIYlqae+JsuRD3hL3U
cBuVSPVg/6xcRSjp/qTDYKHz/iG9QGGHL4iSntMLrX403YaV4ahd15Ew/mQL4WMy
qm+d8BUZx08hsQ8q+vvI
=kdZx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.