Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Jul 2020 20:45:14 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: "Alban Crequy (Kinvolk)" <alban@...volk.io>, volkerdi@...ckware.com
Subject: Re: Flatcar membership on the linux-distros list

On Thu, Jul 23, 2020 at 02:06:14PM -0400, Vincent Batts wrote:
> On Mon, Jul 20, 2020 at 2:36 PM Solar Designer <solar@...nwall.com> wrote:
> > Vincent, as far as I could find, you personally have subscribed to
> > oss-security 2 months ago, and I couldn't find anyone else from Flatcar
> > Linux subscribed.  (Maybe people are with personal addresses that I
> > didn't associate with Flatcar Linux.)
> 
> For sure.
> While I personally have been near the core of a couple of distributions, I
> never was involved in the contributing-side with oss-security or vendor-sec.
> 2 months ago I joined the Kinvolk team, and now squarely involved in this
> aspect.
> As for security disclosure overlap, there will now be a decent overlap with
> an operating system component being containers. As I facilitate and lead
> the Open Containers Initiative (OCI) security list, which hosts code like
> runc, specifications and API definitions for container registries.
> https://github.com/opencontainers/.github/blob/master/SECURITY.md

Quite some overlap with (linux-)distros in the approach you use to
pre-public-disclosure handling of security issues, indeed.  One notable
difference is you don't appear to have a maximum embargo time.

> Alban Crequy (CC'ed) who is on the team has had interactions (which
> pre-date flatcar):
> https://seclists.org/oss-sec/2015/q2/722
> https://seclists.org/oss-sec/2014/q3/4

Oh, as I understand from your e-mail signature, Alban is one of your
company's directors.  If so, I do find it convincing for Flatcar Linux's
membership that one of your directors has personally contributed to
security vulnerability discovery and handling.

> Otherwise, the majority of contributions are involved in the respective
> upstreams of the projects.

Such contributions are relevant, too.

> > As I recall other applications to join the linux-distros list since we
> > introduced this contribute-back requirement, distros volunteered for
> > some tasks right away, not "after being a member for a period."  What
> > you say makes sense, but would be a deviation from the practice so far.
> > I'd appreciate not needing to make an exception for you.
> 
> Yeah, no worries! We can begin immediately with:
> * Check if related issues exist in implementations of similar functionality
> in other software

Great.  Ubuntu already signed up as primary for this task, so Flatcar
can be backup.

> * Promptly review new issue reports for meeting the list's requirements and
> confirm receipt of the report and, when necessary, inform the reporter of
> any issues with their report

This one already has both a primary and a backup.  So unless you choose
another second task for you (that doesn't already have two distros
signed up for it), you'll initially be just a backup for "Check if
related issues exist in ... other software", which is fine.

> The number of packages in distro is drastically reduced, and we'll be on
> this.

I don't understand this comment and its relevance, but nevermind.

> > > Pat Volkerding can vouch for me (CC???ed), and maybe others, but I asked
> > > volkerdi first :-)
> >
> > We haven't yet heard from Pat Volkerding.  Given your LinkedIn profile,
> > I guess someone from Red Hat could vouch for you as well.
> 
> Pat operates at his time. :-)
> I was not heavily involved on this team at RH, but am asking there and a
> few others as well.

OK.  It looks like we'll add Flatcar as soon as an existing member
vouches for you.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.