Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Feb 2016 08:02:59 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts about security of Linux distributor
 collaboration platforms, bugtrackers for opensource software

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scotty Bauer wrote:
> I assume most severe linux bugs are going through the distros list 
> which does exactly as you describe in your mail...
> 
> http://oss-security.openwall.org/wiki/mailing-lists/distros

That is true, so the distros list can be proud to have adopted a
secure procedure already. But at least some of the issues going to be
communicated on distros list were handled in various bug tracking and
collaboration platforms up to the point, that severe security impact
is confirmed. I would guess that quite a number of issues stays in
that state for about 2-6 month before making it to distros list and
beginning of the maximum 2 weeks final embargo time.

Data communicated in the final 2 weeks is secured but I am worried
about the 6 month centralized, structured and unencrypted
communication before that, which might be not so hard to tap into.

> On 02/12/2016 10:52 PM, halfdog wrote:
>> Hello List,
>> 
>> As just written in a mail to another list, this might also be 
>> interesting for discussion here.:
>> 
>> As it would be the most natural thing for e.g. NSA, China, ... 
>> (those with capabilities to monitor large amount of network 
>> traffic) to just record all mails from large-scale Linux 
>> distribution collaboration and issue tracking systems containing 
>> the keyword "security", and as this is very cheap way to get to 
>> near-zero day material, I would assume, that this is already
>> done. This is like serving them zero days on a golden plate.
>> 
>> Hence really critical security material perhaps should not go to 
>> such platforms, e.g. Ubuntu Launchpad, or the platform should be 
>> modified to send security issues only in encrypted mails without 
>> talkative title, members without mail public key registered
>> should get only message "Bug [Number]: Info changed" including
>> the HTTPS link to the issue in the platform.
>> 
>> What do you think?
>> 
>> Does someone have a link to anyone having access to the selector 
>> lists leaked by Snowden to ask them, which of the distros are 
>> already in scope or otherwise to discard this e-mail as pure 
>> paranoia?
>> 
>> Kind regards, hd

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAla+4ysACgkQxFmThv7tq+7OMQCdGl91twyyWt1jQ/Ta5v71UMQh
37AAnRLRa8nOpBVaP6R4g6r7A7BtcSYE
=QM3G
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.