Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jun 2014 22:20:29 -0700 (PDT)
From: Ramon de C Valle <rdecvalle@...are.com>
To: oss-security@...ts.openwall.com
Cc: kseifried@...hat.com, Monty Ijzerman <mijzerman@...are.com>
Subject: Re: Request for linux-distros subscription

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Greg,

- ----- Original Message -----
> From: "Greg KH" <greg@...ah.com>
> To: oss-security@...ts.openwall.com
> Cc: kseifried@...hat.com, "Monty Ijzerman" <mijzerman@...are.com>
> Sent: Thursday, June 5, 2014 2:00:21 AM
> Subject: Re: [oss-security] Request for linux-distros subscription
> 
> On Wed, Jun 04, 2014 at 09:43:05PM -0700, Ramon de C Valle wrote:
> > > [1] if they are added then by that logic we need to add every product
> > > which has virtualization support or a ported environment that can run
> > > Linux (busybox anyone?) which is basically crazy.
> > This statement just enforces what I said above. There are so many
> > problems in this statement that I don't even know where to start. It
> > is my understanding that you're comparing ESXi with BusyBox, although
> > they're different things and ESXi uses BusyBox (which you probably
> > didn't know).
> > 
> > If we enter in the merit of virtualization products (and cloud
> > services), you may or may not have noticed but the majority of them
> > are already subscribed (albeit indirectly) but VMware. Amazon,
> > Canonical, Oracle, Red Hat, are all present. Let's assume, for
> > example, that a critical vulnerability in a critical OSS that affects
> > not only the Linux distributions but also the virtualization products
> > (and cloud services) of any of the companies mentioned above is
> > disclosed on the list. We both know that this information will be used
> > not only to fix the vulnerability in the Linux distributions but also
> > in all the other products and services of these companies in advance.
> > Don't you think it's a bit unfair? I could easily assume that you are
> > biased towards VMware not being subscribed to the list. But we aren't
> > going to enter in that merit, are we?
> 
> Wait, companies aren't on these lists to "fix things in advance", they
> are on them to help resolve the issues with the community members of the
> OSS projects, and to help prepare for the announcement in an organized
> manner.  The fact that they work _with_ the community projects is a
> major thing here.  It is not a one-way street at all.
I couldn't agree more.

> 
> I'm sure if anyone is found to be "fixing things in products ahead of
> time", that will be addressed properly, but that is _not_ the reason
> this group is here for at all from what I can tell (note, I'm not on the
> list, but was on vendor-sec for years, and never saw any "fixes ahead of
> time" there that were not just honest mistakes.)
By fixing in advance, I mean to have the fixes/updates ready by the time the vulnerability is publicly disclosed. (However, in the case of cloud services, we may not have how to know if the fix was, in fact, applied/made in advance.)

> 
> > So far I have explained many reasons why we should be subscribed to
> > the list, yet you haven't explained any why we shouldn't (despite the
> > "you're not a Linux distribution" above, which I have said myself in
> > my very first post).
> 
> What specific OSS products are you relying on that you wish to have
> advance notice of vulnerabilities in?  As you aren't a public Linux
> distro, it's hard to find a list anywhere about what exact code bases
> you are concerned about tracking here.
NTP, OpenSSL, glibc, the Linux device drivers and kernel modules listed at https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_hypervisor_esxi/5_5#open_source to name a few.

> 
> Well, except for the previously mentioned huge Linux driver code base
> (i.e. the thing that runs your flagship product) but I've already stated
> my objection there for why you should not be allowed access to any
> "special" knowledge there.
> 
> thanks,
> 
> greg k-h
> 
- --
Ramon de C Valle
VMware Product Security Engineering
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJTj/3/AAoJEMHrzpMNBOIMPaMP/1dfB9t3TKPBmX+nZhYN2a+3
GaibymKihnVO7ogivTjOvXK3eUINIYQbLFGEa86bp9++PCtD7TrfoC3N3j+ykCx+
QsDUlyzn5wRo5mu03vAxy3Rr8Z1tzgS5rFm8h2ZRyUga0KS4VDnquoKHx86/HDLt
yCoY5dC5BmVMvIAqzW72Jeaqtajgy94cnx2Ckx9LbJMqmek/KoUnrVlDiT+7fClq
xdpQ+UB2hBTbe0OF07wOCXaXTeW/EfJ+ux5VdUYXwkNpscpHhx/Tryym7WYKWs3h
qY7cMGSNDNmndmhVpPdJNBHmHKj0CRyqmjELRBcLN4MU7jkqBOHmxBW1ODyzbaOo
Nb7L0gbCvdkH2ZSdP/amnFaqUEhz71fXI942JNRCTCiqnM/U8l7W/PURFvoqmlDQ
CYIJCzQvcf4ru6w1Dr1Y+q21b7wIAvheOQAxXqaRdIyp3jXaHeCvggxfamUxqTdC
iMAPqIYgGi3rdqKzQ2sxrN4sD679aON9fYuXF8aYizCpI8xmdCXs/SCuxTT7s3YK
6EtZEK8ad83ZXAXZk+nZGHEpUhLDkfn49euCed/2Rj8aev42C/dAN8Dy624+AdSU
UxFWVBSmBMKhwoyPFY+p0zVSUZ6RSrVIrUZRdncJoK6kJMfwuycihYOPREnheJO3
S1iLtW4Rm16OTkbVHJ1a
=eabY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.