Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Jul 2017 21:29:23 +0300
From: Igor Seletskiy <i@...udlinux.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list membership application - CloudLinux

Thank you Alexander,

Please, see my answers bellow.

On Sun, Jul 2, 2017 at 9:07 PM, Solar Designer <solar@...nwall.com> wrote:

> Hi all,
>
> I am inclined to add CloudLinux to the linux-distros list unless there
> are well-reasoned objections.  I'd appreciate any comments.
>
> On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote:
> > I would like to apply for membership in linux-distros list for CloudLinux
> > OS. Please, see application attached.
>
> Thank you for posting this, Igor.
>
> I am most concerned about your answer to:
>
> > 4. Not be (only) downstream or a rebuild of another distro (or else we
> > need convincing additional justification of how the list membership
> > would enable you to release fixes sooner, presumably not relying on the
> > upstream distro having released their fixes first?)
>
> > Our kernel has significant amount of changes comparing to OpenVZ kernel
> > We also do slight modifications to Apache web server, ship customized
> > versions of PHP (multiple versions), python, ruby, MySQL and MariaDB that
> > are  packaged by us, and not taken from upstream.
>
> So are you saying that you'll release fixes sooner (once you're on the
> linux-distros list) only for this subset of packages that are modified
> or packaged by you?  What about the rest?
>
We would be fixing any security issues that can affect our customers asap.
We have everything setup to do that, and we did it a couple of times.
For packages that are not used by wast majority of our customers, we might
wait
for upstream, and repackage it within 24 hours or so (our typical timeframe
today).



> > We would be happy to help with administrative tasks:
> >
> >    1. Promptly review new issue reports for meeting the list's
> requirements
> >    and confirm receipt of the report and, when necessary, inform the
> reporter
> >    of any issues with their report (e.g., obviously not actionable by the
> >    distros) and request and/or propose any required yet missing
> information
> >    (most notably, a tentative public disclosure date)
> >    2. If the proposed public disclosure date is not within list policy,
> >    insist on getting this corrected and propose a suitable earlier date
> >
> > And possibly more in the future, as we have a better understanding of the
> > amount of work needed to handle those tasks.
> > We will need some handholding at first to make sure we do things
> correctly.
>
> OK.  You'll likely need to choose additional/other tasks very soon since
> these trivial ones will likely transfer to another new distro joining,
> if one requests membership and meets the criteria shortly after you.
>
Of course. Happy to do any tasks, as long as we are guided on what exactly
needs to be done.

>
> > Please, find PGP related info
>
> Thanks.  Out of the people you listed, you and Konstantin appear to have
> been on oss-security for a long while, but Leonid doesn't appear to be
> subscribed - or is he?  If not, he probably needs to subscribe now.
>
I will double check with him, and ask him to join.

>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.