Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Mar 2015 16:49:05 -0700
From: Alan Coopersmith <>
CC: John Haxby <>
Subject: Re: membership request  to the closed linux-distros
 security mailing list

On 03/20/15 02:58 PM, John Haxby wrote:
>> On 20 Mar 2015, at 14:54, Solar Designer <> wrote:
>> BTW, we may need to discuss whether Oracle's subscription is for their
>> Linux distro only or also for Solaris.  So far, I refused to subscribe
>> an extra person for them who was not involved in their Linux distro,
>> since I felt their subscription had only been approved by this community
>> for Oracle Linux and not for Solaris.
> It’s for the linux distro variants, exclusively.  The Solaris team have their own security contacts and I’m not one of them.

I was under the impression that members of the Oracle Security Alerts team were 
representing both Oracle Linux & Solaris on the distros list.  If a specific
Solaris engineer is needed on a list, it would probably be me, as the current
lead engineer for security assurance in Solaris engineering, but I've been okay
letting the security alert team handle it.  If I misunderstood, and Solaris is
not supposed to be getting notified, I'd like to fix it so we can be. doesn't mention
any reason Solaris would be excluded - I do see Apple isn't there, which would
probably be the closest OS to the Solaris model of shipping a lot of FOSS
packages around a proprietary core, but I don't know the history of why they're

If you do need to filter between mostly-open-source OS'es and OS'es that just
ship a lot of FOSS, where is that line drawn?   Admittedly the Solaris core
software (kernel, libc, etc.) is no longer open source, but more than half
of the software in our package repo is FOSS.  Drawing the line at 100% pure
would exclude most Linux distros, so is it somewhere around 90% that you
cut off at?  95%?  How do you measure? Does a 25 million line proprietary
graphics driver & OpenGL stack count as just one package out of 5000, or
as 5% of a 500 million line code base?

I do participate on oss-security both for my role in Solaris and as the co-lead
of the upstream X.Org security team, for which I've sent through advisories &
answered questions.

For the other questions on this thread about why we send embargoed notices to
distros first -- X.Org does it because we've always done it and not had a
reason to change.   Admittedly the world has changed around X11 over the past
three decades - no longer is the most common X11 deployment a cluster of
professionally administered workstations in an engineering firm or University,
where breaching the X server to get root gives you access to hundreds of other
users files, but a single user laptop or desktop where the user logged into
X probably has root already.

Most major distros that ship X11 (Red Hat, SuSE, Debian, Gentoo, Ubuntu,
OpenBSD, Solaris, MacOS, etc.) do know about X.Org vulnerabilities earlier
than the distros list members, since they have X developers participating in
our private security list evaluating the bug reports and reviewing the proposed
fixes, so they wouldn't lose out if we started skipping the distros list and
went public straight away, but the smaller distros that don't participate
upstream would lose advance notice.  Do any of them care if X11 vulnerabilities
go public before they can prepare a patch? If not, it simplifies our life to
remove a stage from the embargo/release process.

[As usual, the preceding is solely my opinion, and is not necessarily
  representative of the rest of either Oracle or the X.Org Foundation.]

	-Alan Coopersmith-    
	 Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.