Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 8 Jul 2019 14:51:37 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros membership application - Microsoft

On Sat, Jul 06, 2019 at 06:29:36PM -0400, Sasha Levin wrote:
> On Sat, Jul 06, 2019 at 09:37:37PM +0200, Solar Designer wrote:
> >On Fri, Jun 28, 2019 at 01:08:12PM -0400, Sasha Levin wrote:
> >>Can I suggest that we fork the discussion around security-bugs.rst to
> >>LKML? I can suggest an initial patch to address your comments here but I
> >>think that this is better handled on LKML.
> >
> >Yes, please.
> 
> Sure, give me a day or two to get it out. I'll cross-post
> LKML/ksummit-discuss/oss-security

Please just take this to LKML, without CC to oss-security.  We can
summarize the changes for oss-security separately.  I don't know about
relevance to ksummit-discuss.

> as I think it's one of those times it actually makes sense.

This might or might not be an exception, but in general CC'ing a thread
to LKML and oss-security is problematic and is specifically discouraged
in oss-security content guidelines:

https://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"Please don't cross-post messages to oss-security and other mailing
lists at once, especially not to high-volume lists such as LKML and
netdev, as this tends to result in threads that wander partially or
fully off-topic (e.g., Linux kernel coding style detail may end up being
discussed in comments to a patch posted to LKML, but it would be
off-topic for oss-security).  If you feel that something needs to be
posted to oss-security and to another list, please make separate
postings.  You may mention the other posting(s) in your oss-security
posting, and even link to other lists' archives."

> >More importantly, maybe we shouldn't list "Microsoft" as a member of
> >linux-distros.  Microsoft is so much more than the recent Linux-based
> >products and services.  We similarly list "Amazon Linux AMI" rather than
> >"Amazon", and "Chrome OS" rather than "Google" (and we had separately
> >listed "Android", which has since unsubscribed), and "Ubuntu" rather
> >than "Canonical".  OTOH, we were not as careful to list proper products,
> >etc. for some others such as "Oracle".
> >
> >If we list "Microsoft", this might be especially confusing since issues
> >being reported might also be relevant to Windows.  The reporters need to
> >know they're not reaching Windows security team unless they specifically
> >authorize that.
> >
> >Any suggestions on the above?
> 
> Yes, this is tricky. Maybe "Microsoft Linux Systems Group"? Thats our
> group name within Microsoft. I guess that we can also add a short wiki
> page with references to the products/distros we support as well as a
> clarification that this has nothing to do with Windows and list MSRC's
> contact information.

I think listing "Microsoft Linux Systems Group" is enough to avoid the
confusion.  I support Moritz's request for you to add to our existing
wiki pages with vendors' security contact information, and you can list
the pertaining products/distros nearby.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.