Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 7 Nov 2019 20:01:20 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: independent volunteers on distros list

Hi,

We had independent volunteers subscribed to (linux-)distros since 2017,
as per the announcement over-quoted below.  Initially this was just
Tavis Ormandy.  Later it was also Jason A. Donenfeld.

I appreciate their help.  However, things have changed since 2017 -
we've since introduced specific tasks that specific distros handle,
whereas Tavis and Jason have been inactive as volunteers on the list
lately.  This is understandable as they have a lot of work to do on
other projects.

Thus, as I first communicated to them in private e-mail, I've just
unsubscribed Tavis and Jason, and updated the wiki accordingly (that we
no longer have independent volunteers on the list).

Thank you, Tavis and Jason, for your help.

Alexander

On Thu, May 25, 2017 at 09:37:44PM +0200, Solar Designer wrote:
> Hi,
> 
> On the old vendor-sec list (1998(?) - 2011), there were not only distro
> vendors, but also individual volunteers (in fact, I was originally
> invited in that capacity, prior to Openwall having a Linux distro) and
> some major upstream projects (X.Org, Samba).  When vendor-sec ceased to
> exist, I setup the (linux-)distros list(s), intentionally calling them
> such to more clearly draw the line on who's to be accepted and to avoid
> slippery slope.
> 
> While I'm still of the opinion that non-distro upstream projects should
> not be on those lists (instead, they are being CC'ed when needed), nor
> subject matter experts with certain domain-specific knowledge (ditto),
> I'd like to change my mind regarding the non-distro volunteers (aka
> security researchers) with broad expertise and a track record of
> evaluating vulnerabilities and fixes and finding more issues in those.
> I am referring e.g. to the aftermath of Shellshock public disclosure.
> Rather than have this happen post-disclosure, we can take the slightly
> higher risk of leaks (from having just a few more people subscribed, and
> perhaps people who are better equipped to deal with confidential
> information than most distros' representatives are) and have better
> understanding and fixes pre-disclosure.
> 
> I am convinced there are ways to avoid the slippery slope should the
> issue arise.  There are few people out there who are at the same time
> capable (broad expertise and a track record of finding more issues in
> the fixes), willing, and available to volunteer, and who someone already
> subscribed would vouch for and no one would object against.  Perhaps
> fewer such people than we have distros.  For now these are the criteria,
> but if necessary there are other potential policies we could introduce.
> 
> Unlike people subscribed for distros (whose primary reason to be
> subscribed is that they make use of the info to prepare fixes for their
> distro), the non-distro volunteers must be active and helpful in
> discussions as a condition for their continued subscription.  (Indeed,
> being active and helpful is encouraged for the distro subscribers as
> well, but it isn't a strict requirement as long as the distro is making
> good use of the info to prepare fixes.)
> 
> The volunteer subscriptions will be of them as individuals, unrelated
> to their employment (if any), and they would be expected not to share
> the information with their employer(s), nor with anyone else, unless
> explicitly permitted.  The employer(s)' vulnerability disclosure
> policies, if any, would not apply.  If this is inconsistent with a
> given researcher's employment, that researcher should not accept to be
> subscribed.
> 
> Specifically, at this time I am going to subscribe Tavis Ormandy, who
> happens to have been on vendor-sec.  I've already discussed this with
> him, and he agreed.
> 
> I first brought this to distros list itself yesterday (after some
> private discussions with some individual distros, both recently and way
> earlier), and received no objections.  Some of the subscribed distros'
> representatives spoke in favor of this change (some on the list, some
> privately to me) and some also made comments (in particular, that we
> should emphasize that "the volunteer subscriptions will be of them as
> individuals, unrelated to their employment ...", which I did above).
> 
> I'd appreciate any further comments that the broader community might
> have, but for now it's a decision made and I'll proceed.
> 
> Thanks,
> 
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.