Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Jul 2020 14:20:07 -0400
From: Vincent Batts <vbatts@...volk.io>
To: oss-security@...ts.openwall.com, volkerdi@...ckware.com
Subject: Flatcar membership on the linux-distros list

Hey there,

Using the
https://oss-security.openwall.org/wiki/mailing-lists/distros#membership-criteria
I’m outlining why Flatcar Container Linux ought to be on the linux-distros
list.

> Be an actively maintained Unix-like operating system distro with
substantial use of Open Source components

Flatcar has been building releases for 2+ years, when it was
friendly-forked from CoreOS Container Linux (which is now EOL’d).

> Have a userbase not limited to your own organization

Those pulling updated builds from our servers are in the 10’s of thousands
(much beyond our organization).

> Have a publicly verifiable track record, dating back at least 1 year and
continuing to present day, of fixing security issues (including some that
had been handled on (linux-)distros, meaning that membership would have
been relevant to you) and releasing the fixes within 10 days (and
preferably much less than that) of the issues being made public (if it
takes you ages to fix an issue, your users wouldn't substantially benefit
from the additional time, often around 7 days and sometimes up to 14 days,
that list membership could give you)

https://www.flatcar-linux.org/releases/

Lists releases and issues addressed. Including issues like CVE-2020-0543
being addressed within days of other distros publicly exposing their patch
for this embargoed issue.

> Not be (only) downstream or a rebuild of another distro (or else we need
convincing additional justification of how the list membership would enable
you to release fixes sooner, presumably not relying on the upstream distro
having released their fixes first?)

Flatcar had been downstream of CoreOS Container Linux, but now is only
downstream to aspects of Gentoo and ChromeOS, though manages its own
components, build metadata, build infrastructure and update servers.

> Be a participant and preferably an active contributor in relevant public
communities (most notably, if you're not watching for issues being made
public on oss-security, which are a superset of those that had been handled
on (linux-)distros, then there's no valid reason for you to be on
(linux-)distros)

We have already been a participant on oss-security for some time and are
active in a number of communities. Glad to participate.

> Accept the list policy (see above)

We accept.

> Be able and willing to contribute back (see above), preferably in
specific ways announced in advance (so that you're responsible for a
specific area and so that we know what to expect from which member), and
demonstrate actual contributions once you've been a member for a while

There are a number of the items we will do through the course of normal
process (review, test, validate, monitor for issues going public). As for
owning or being a backup, I expect that would be a consideration after
being a member for a period.

> Be able and willing to handle PGP-encrypted e-mail

Yes

> Have someone already on the private list, or at least someone else who
has been active on oss-security for years but is not affiliated with your
distro nor your organization, vouch for at least one of the people
requesting membership on behalf of your distro (then that one vouched-for
person will be able to vouch for others on your team, in case you'd like
multiple people subscribed)

Pat Volkerding can vouch for me (CC’ed), and maybe others, but I asked
volkerdi first :-)


vb


-- 

Vincent Batts

CTO


---
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364
Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.