Date: Thu, 25 May 2017 21:37:44 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: independent volunteers on distros list Hi, On the old vendor-sec list (1998(?) - 2011), there were not only distro vendors, but also individual volunteers (in fact, I was originally invited in that capacity, prior to Openwall having a Linux distro) and some major upstream projects (X.Org, Samba). When vendor-sec ceased to exist, I setup the (linux-)distros list(s), intentionally calling them such to more clearly draw the line on who's to be accepted and to avoid slippery slope. While I'm still of the opinion that non-distro upstream projects should not be on those lists (instead, they are being CC'ed when needed), nor subject matter experts with certain domain-specific knowledge (ditto), I'd like to change my mind regarding the non-distro volunteers (aka security researchers) with broad expertise and a track record of evaluating vulnerabilities and fixes and finding more issues in those. I am referring e.g. to the aftermath of Shellshock public disclosure. Rather than have this happen post-disclosure, we can take the slightly higher risk of leaks (from having just a few more people subscribed, and perhaps people who are better equipped to deal with confidential information than most distros' representatives are) and have better understanding and fixes pre-disclosure. I am convinced there are ways to avoid the slippery slope should the issue arise. There are few people out there who are at the same time capable (broad expertise and a track record of finding more issues in the fixes), willing, and available to volunteer, and who someone already subscribed would vouch for and no one would object against. Perhaps fewer such people than we have distros. For now these are the criteria, but if necessary there are other potential policies we could introduce. Unlike people subscribed for distros (whose primary reason to be subscribed is that they make use of the info to prepare fixes for their distro), the non-distro volunteers must be active and helpful in discussions as a condition for their continued subscription. (Indeed, being active and helpful is encouraged for the distro subscribers as well, but it isn't a strict requirement as long as the distro is making good use of the info to prepare fixes.) The volunteer subscriptions will be of them as individuals, unrelated to their employment (if any), and they would be expected not to share the information with their employer(s), nor with anyone else, unless explicitly permitted. The employer(s)' vulnerability disclosure policies, if any, would not apply. If this is inconsistent with a given researcher's employment, that researcher should not accept to be subscribed. Specifically, at this time I am going to subscribe Tavis Ormandy, who happens to have been on vendor-sec. I've already discussed this with him, and he agreed. I first brought this to distros list itself yesterday (after some private discussions with some individual distros, both recently and way earlier), and received no objections. Some of the subscribed distros' representatives spoke in favor of this change (some on the list, some privately to me) and some also made comments (in particular, that we should emphasize that "the volunteer subscriptions will be of them as individuals, unrelated to their employment ...", which I did above). I'd appreciate any further comments that the broader community might have, but for now it's a decision made and I'll proceed. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.