Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jun 2014 21:43:05 -0700 (PDT)
From: Ramon de C Valle <>
Cc:, Monty Ijzerman <>
Subject: Re: Request for linux-distros subscription

Hash: SHA512

Hi Kurt,

- - ----- Original Message -----
> From: "Kurt Seifried" <>
> To:, "Monty Ijzerman" <>
> Cc: "Ramon de C Valle" <>
> Sent: Thursday, June 5, 2014 12:24:03 AM
> Subject: Re: [oss-security] Request for linux-distros subscription
> Hash: SHA1
> On 06/04/2014 02:41 PM, Raphael Geissert wrote:
> > On Wednesday 04 June 2014 12:33:13 Ramon de C Valle wrote:
> >> I'd also appreciate comments by others active in this community
> >> and would be happy  to answer any questions anyone might have.
> > 
> > Other than earlier product re-qualification I don't see how you
> > could justify joining the list, am I missing something? If that's
> > the only reason, I guess a question that should be asked is: is
> > exposing the details to more people actually worth the extra time?
> > 
> > (speaking for myself here)
> > 
> > Cheers,
> > 
> It sounds like adding VMware is not warranted, they don't ship "a
> Linux[1]", so I see no compelling reason for them to be added. For the
> few Open Source  projects they are involved in, those upstreams are
> notified as part of the process of bringing things to the distros list
> so that should suffice.
It seems you didn't understand my reasoning.

> [1] if they are added then by that logic we need to add every product
> which has virtualization support or a ported environment that can run
> Linux (busybox anyone?) which is basically crazy.
This statement just enforces what I said above. There are so many problems in this statement that I don't even know where to start. It is my understanding that you're comparing ESXi with BusyBox, although they're different things and ESXi uses BusyBox (which you probably didn't know).

If we enter in the merit of virtualization products (and cloud services), you may or may not have noticed but the majority of them are already subscribed (albeit indirectly) but VMware. Amazon, Canonical, Oracle, Red Hat, are all present. Let's assume, for example, that a critical vulnerability in a critical OSS that affects not only the Linux distributions but also the virtualization products (and cloud services) of any of the companies mentioned above is disclosed on the list. We both know that this information will be used not only to fix the vulnerability in the Linux distributions but also in all the other products and services of these companies in advance. Don't you think it's a bit unfair? I could easily assume that you are biased towards VMware not being subscribed to the list. But we aren't going to enter in that merit, are we?

So far I have explained many reasons why we should be subscribed to the list, yet you haven't explained any why we shouldn't (despite the "you're not a Linux distribution" above, which I have said myself in my very first post).

> - --
> Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
- - --
Ramon de C Valle
VMware Product Security Engineering
Comment: GPGTools -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.