Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 12 Jan 2020 18:47:26 +0100
From: Solar Designer <solar@...nwall.com>
To: Kees Cook <kees@...ntu.com>
Cc: oss-security@...ts.openwall.com,
	Jorge Lucangeli Obes <jorgelo@...gle.com>
Subject: Re: linux-distros membership adjustment/vouching

Hi,

On Fri, Jan 10, 2020 at 12:52:41PM -0800, Kees Cook wrote:
> I've been a member of linux-distros for a long while, and my hat has
> slowly changed over that time. I'm subscribed there (and here) as
> kees@...ntu.com.  When I my responsibilities shifted from the Ubuntu
> Security Team to the Chrome OS Security Team, I just kept the email
> address (since it's a community address and I'm still part of the Ubuntu
> community).
> 
> However, as my responsibilities have shifted, I'm much less involved
> with the Chrome OS Security Team, and it was recently pointed out that
> no one else from the Chrome OS Security Team is (to our knowledge)
> a member right now.
> 
> So, attempting to solve things in a backwards order, I'd like to first
> vouch for a Chrome OS Security Team member who is already on oss-security,
> with the goal of having them added to the linux-distros list:
> 
>     Jorge Lucangeli Obes <jorgelo@...gle.com>

Given the above, I'd be happy to subscribe Jorge for Chrome OS.  I just
need Jorge's PGP key.  I also suggest using an e-mail address not on
Google's MX'es, because those reject messages sent from domains with
strict DMARC policy (most notably, when another Googler posts).

Normally such subscription changes for an already subscribed distro are
handled off-list.  However, what you bring up below deserves being
discussed on oss-security:

> Then I'd like to figure out what to do with my own membership. I'm
> still associated with Ubuntu, Chrome OS, and Android but I don't have
> "official" responsibilities as a representative of their respective
> security teams. I am, however, an upstream Linux kernel security contact
> (but that doesn't qualify as a "Unix-like operating system distro", from
> item "1" in the membership criteria[1]). I am still involved in fixing,
> notifying, negotiating, delegating, etc, in these various distros. Should
> I stay on linux-distros? I would prefer to (it makes that work simpler),
> but since there isn't any "criteria for continuing membership" on the
> Wiki, I'm not entirely sure what the right course of action should be.

I think it'd be most consistent with our criteria so far if (at least)
one of those distros' security teams does state that you'd represent
them.  Without that, you staying on linux-distros would be weird and
inconsistent with requirements we set for others.

> (And if I stay, perhaps it would be more accurate to use kees@...nel.org?)

It'd be up to you to choose an e-mail address that's convenient for
you.  Messages are encrypted anyway, so this choice sort of does not
matter for security.  In practice, though, it does matter a little bit:
if you choose an e-mail address in a specific distro's domain name, then
if you ever leave their team and they disable that e-mail account you
wouldn't be getting the messages anymore (and they wouldn't be able to
read messages intended for you as well, due to the encryption to your
key), even if they forget to promptly ask for your address to be removed
from the list.  Despite of this minor security advantage, I don't insist
on use of such e-mail addresses so far, as I realize it's often far more
convenient to use an external e-mail address.

As to kernel.org, it isn't particularly relevant here since the Linux
kernel is not a Linux distro.  It's just an address you can use, just
like any other address.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.