Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 12:26:50 +0100
From: Florian Weimer <>
Subject: Re: membership request  to the closed linux-distros security mailing list

* Solar Designer:

> Oh, and I need to announce that one distro left the list earlier this
> month: the person previously subscribed for Android determined that "the
> mail going to those lists hasn't been actionable" for Android.

Well, this can mean basically anything.  Maybe they can't do embargoes
at all, considering how fixed software is delivered to end users.

> 3. Setup a separate list for primarily non-free software and primarily
> non-software vendors.  Of the existing linux-distros members, maybe
> Amazon Linux AMI, MontaVista, and Wind River should be moved there.

Huh?  Isn't Amazon Linux AMI just a piece of software?

Montavista and Wind River are subsidies of Cavium and Intel, and the
parent company product security teams should be on a
(linux-)distros-type list anyway.

> The idea behind such list is that we'd let people decide who they want
> to notify: all distros (including this separate list) or just the more
> free'ish subset (not including this separate list).

Why would you give priority to a free-ish distributions?  What's the
goal?  We are all on the same Internet, which is why I fail to see the
benefit of distributing vulnerability information according based on
this criterion.

> And indeed, the separation between these sub-lists is unclear.  There
> will always be doubts where a given vendor belongs.  For example, to me
> Red Hat is free enough to be on the privileged sub-list, but someone
> might disagree.

Being commercial hopefully means that your security team members don't
need an actual job that pays the bills, which may create additional
obligations.  If the security team is just a bunch of volunteers, you
have different potential for conflicts of interest (not sure what's
worse, an additional job, or commercial pressures).

> Comments?

What's happening on the distros list these days?  Who are the primary
contributors?  Are there discussions about technical details?  Or is
it just CRD coordination?  Or do people just drop off pre-advisories?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.