Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 5 Nov 2019 19:42:28 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Joe McManus <joe.mcmanus@...onical.com>,
	Anthony Liguori <aliguori@...zon.com>
Subject: Re: Contributing Back

Hi Joe, hi Anthony -

I'll over-quote a bit since it's an old thread:

On Mon, Jul 15, 2019 at 09:28:01PM +0200, Solar Designer wrote:
> On Mon, Jul 15, 2019 at 11:54:23AM -0700, Anthony Liguori wrote:
> > On Mon, Jul 15, 2019 at 11:47 AM Joe McManus <joe.mcmanus@...onical.com> wrote:
> > > > On Tue, Jul 09, 2019 at 07:00:36PM -0600, Joe McManus wrote:
> > > > > Hey All - The Ubuntu Security Team would like to sign up for items 3,4
> > > > > & 5 from the technical list <
> > > > > https://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back
> > > > > >:
> > > > >
> > > > > 3 - Review and/or test the proposed patches and point out potential issues
> > > > >   with them [...]
> > > > > 4 - Check if related issues exist in the same piece of software [...]
> > > > > 5 - Check if related issues exist in implementations of similar
> > > > >   functionality in other software [...]
> [...]
> > > Yes, this will be taken care of by Ubuntu Security Team members who
> > > are already on the list, however if after some time we need to cycle
> > > someone in or out I might come asking. I know you don't want to add
> > > anyone so we will do our best to prevent this from happening.
> > >
> > > For 3 we can be either primary or backup, just let me know your
> > > preference and we'll do the work.
> > 
> > I would be happy for y'all to be primary.  We don't ship as many
> > packages as Ubuntu does so there will be more things that you are
> > likely to test compared to what we do.
> 
> OK, I've just listed Ubuntu as primary for 3, 4, 5.  Amazon is now
> backup for 3.
> 
> Please note that these items include "and inform the list of the work
> done even if no issues were encountered" (item 3), "and inform the list
> either way" (items 4, 5), so we'll expect replies to the list as per
> these items for each and every issue reported to there.

I am not seeing this "inform the list either way" stuff actually
happening.  Without it, no other distro has a way to know the work is
actually being done.  Once I had pointed this need out a while before,
Amazon briefly started making those mandatory postings for task 3, until
they were replaced by Ubuntu as primary.  In fact, given the lack of
such postings by Ubuntu, I would still expect Amazon to take over for
task 3, which they're the backup for, and it looks like they did that
exactly once:

As far as I can see, the last time Amazon handled task 3 was on July 25,
which is 10 days after Ubuntu became primary for that task.  This was
much appreciated.  Unfortunately, as far as I can see, neither distro
(visibly) handled these tasks ever since, with one exception:

Ubuntu did point out that a patch didn't have a corresponding testsuite
change, and thus tests failed, in a posting on October 10.  So hopefully
they were doing the work, except for the "inform the list either way"
part - but that's an important part!

It is possible that I missed or don't recall some other occasions, but I
think I got the overall picture right.

Joe, Anthony - can you please have your distros start handling these
tasks fully, as described?

Thanks in advance,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.