Date: Fri, 20 Mar 2015 16:49:05 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com CC: John Haxby <john.haxby@...cle.com> Subject: Re: membership request to the closed linux-distros security mailing list On 03/20/15 02:58 PM, John Haxby wrote: >> On 20 Mar 2015, at 14:54, Solar Designer <solar@...nwall.com> wrote: >> >> BTW, we may need to discuss whether Oracle's subscription is for their >> Linux distro only or also for Solaris. So far, I refused to subscribe >> an extra person for them who was not involved in their Linux distro, >> since I felt their subscription had only been approved by this community >> for Oracle Linux and not for Solaris. > > It’s for the linux distro variants, exclusively. The Solaris team have their own security contacts and I’m not one of them. I was under the impression that members of the Oracle Security Alerts team were representing both Oracle Linux & Solaris on the distros list. If a specific Solaris engineer is needed on a list, it would probably be me, as the current lead engineer for security assurance in Solaris engineering, but I've been okay letting the security alert team handle it. If I misunderstood, and Solaris is not supposed to be getting notified, I'd like to fix it so we can be. http://oss-security.openwall.org/wiki/mailing-lists/distros doesn't mention any reason Solaris would be excluded - I do see Apple isn't there, which would probably be the closest OS to the Solaris model of shipping a lot of FOSS packages around a proprietary core, but I don't know the history of why they're not. If you do need to filter between mostly-open-source OS'es and OS'es that just ship a lot of FOSS, where is that line drawn? Admittedly the Solaris core software (kernel, libc, etc.) is no longer open source, but more than half of the software in our package repo is FOSS. Drawing the line at 100% pure would exclude most Linux distros, so is it somewhere around 90% that you cut off at? 95%? How do you measure? Does a 25 million line proprietary graphics driver & OpenGL stack count as just one package out of 5000, or as 5% of a 500 million line code base? I do participate on oss-security both for my role in Solaris and as the co-lead of the upstream X.Org security team, for which I've sent through advisories & answered questions. For the other questions on this thread about why we send embargoed notices to distros first -- X.Org does it because we've always done it and not had a reason to change. Admittedly the world has changed around X11 over the past three decades - no longer is the most common X11 deployment a cluster of professionally administered workstations in an engineering firm or University, where breaching the X server to get root gives you access to hundreds of other users files, but a single user laptop or desktop where the user logged into X probably has root already. Most major distros that ship X11 (Red Hat, SuSE, Debian, Gentoo, Ubuntu, OpenBSD, Solaris, MacOS, etc.) do know about X.Org vulnerabilities earlier than the distros list members, since they have X developers participating in our private security list evaluating the bug reports and reviewing the proposed fixes, so they wouldn't lose out if we started skipping the distros list and went public straight away, but the smaller distros that don't participate upstream would lose advance notice. Do any of them care if X11 vulnerabilities go public before they can prepare a patch? If not, it simplifies our life to remove a stage from the embargo/release process. [As usual, the preceding is solely my opinion, and is not necessarily representative of the rest of either Oracle or the X.Org Foundation.] -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.