Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 16 May 2017 17:39:45 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: NetBSD/pkgsrc membership on distros list

Hi,

A few individuals from/for NetBSD/pkgsrc joined the non-public distros
list a while ago.  Unfortunately, lately they appear to have become
inactive.  Thus, I am likely to remove NetBSD/pkgsrc from the distros
list soon unless the membership is "renewed" through demonstrated
interest and vulnerability response by specific people from there.

I notice NetBSD security team is still active in terms of issuing of
public security advisories (latest one posted on March 24), but the way
the situation looks to me (and I admit I could be wrong) those
advisories are not produced by the same people who had joined distros.
So maybe NetBSD needs to nominate their currently active security people
for distros membership on behalf of their project.

I could figure out who the active NetBSD security people are now and
approach them, but that's mostly not how distros membership applications
worked so far - specifically, I'd like membership to be requested by
each distros' security team.  I don't want to be pinging them about it
myself, as that could result in some joining just because they were
invited/reminded like that rather than because of genuine interest.

Similarly, I intentionally don't CC this posting to anyone - if someone
(perhaps from NetBSD) is not in here, then even if they're doing
security response for their distro they are not an ideal representative
for their distro on the distros list.  That's because we assume that the
distro also keeps track of whatever issues are being made public on
oss-security (with most of those issues never having been brought up on
the distros list, so by being only on distros the person would miss most
issues they might need to deal with).

If anyone from NetBSD who is on oss-security has anything relevant to
say on this, please speak up.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.