Date: Tue, 20 Jul 2021 14:23:26 -0600 From: "Jeremy Soller" <jeremy@...tem76.com> To: oss-security@...ts.openwall.com Subject: Pop!_OS Membership to linux-distros list I, Jeremy Soller, would like to apply for membership to the linux-distros list for Pop!_OS. I am the Principal Engineer at System76 in charge of Pop!_OS development. 1. Be an actively maintained Unix-like operating system distro with substantial use of Open Source components Pop!_OS is an actively maintained Linux distribution. The vast majority of the components of Pop!_OS are Open Source. 2. Have a userbase not limited to your own organization Pop!_OS has a large userbase that exists outside of my organization, System76. 3. Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing security issues (including some that had been handled on (linux-)distros, meaning that membership would have been relevant to you) and releasing the fixes within 10 days (and preferably much less than that) of the issues being made public (if it takes you ages to fix an issue, your users wouldn't substantially benefit from the additional time, often around 7 days and sometimes up to 14 days, that list membership could give you) Over the history of Pop!_OS, dating back to 2017, we have maintained critical packages and applied security patches soon after they are made public. Our membership to this list would significantly help our users stay secure by allowing us to prepare and test security updates ahead of public disclosure. Please see our GitHub organization for more evidence: https://github.com/pop-os 4. Not be (only) downstream or a rebuild of another distro (or else we need convincing additional justification of how the list membership would enable you to release fixes sooner, presumably not relying on the upstream distro having released their fixes first?) While Pop!_OS is presently based on Ubuntu and Debian, we maintain a number of packages independently, including but not limited to: - flatpak - fwupd - gdm3 - gnome-control-center - gnome-initial-setup - gnome-shell - gnome-settings-daemon - gnome-terminal - linux - linux-firmware - mutter - systemd - virtualbox Many of these packages have had coordinated disclosures that we were not a part of, but would have benifted from being a part of. Ubuntu or Debian changes relevant to these packages are not required to backport security patches to Pop!_OS. 5. Be a participant and preferably an active contributor in relevant public communities (most notably, if you're not watching for issues being made public on oss-security, which are a superset of those that had been handled on (linux-)distros, then there's no valid reason for you to be on (linux-)distros) I have on occasion contributed to some of the projects listed above. I watch them all for relevant security patches. I am subscribed to the oss-security mailing list. 6. Accept the list policy (see above) I accept the list policy. 7. Be able and willing to contribute back (see above), preferably in specific ways announced in advance (so that you're responsible for a specific area and so that we know what to expect from which member), and demonstrate actual contributions once you've been a member for a while I am able and willing to contribute back. 8. Be able and willing to handle PGP-encrypted e-mail I am able and willing to handle PGP-encrypted e-mail. Here is the PGP public key for jeremy@...tem76.com: -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFh+mI8BCADdkuqr1dpgtjHtvtu2Lb55smOvDZGipQl24rL4DkmYFIY43mz9 55ctlWDMnIf4MDDNExRwfInyPJDaB1DYVBruq9foqDEE59PQqWUYdS292s14nxJt BsEwAq076nIrQedJo5H1kandULx685ylRHB53ZmAvB5WAc9MESuc47AFjTdSmlc4 FZNU8PvE29BrSyAVPFKiyFophu4AIZl7W9MlCsVcJUf4emYsUGpSJ8EJBmoNoSY9 DSQ9kKin2Duo6dQDO8zLSgRQoFEXSTFUk2OjFd7dGnvpZrJpfH+ZqyVa3W3Z0RCG wGJu9aATsZ9kXk5i4l3veg2zsqq4cBPiVBVhABEBAAG0I0plcmVteSBTb2xsZXIg PGplcmVteUBzeXN0ZW03Ni5jb20+iQE3BBMBCAAhBQJYfpiPAhsDBQsJCAcCBhUI CQoLAgQWAgMBAh4BAheAAAoJEOmItJ7nin+x/1wIANoZ0nFVlSxjWZhl8dvJQMB3 uBr8wjF3O76k3lkG6yjGSjZ5REq/62eB+lI/rH1ZKb7TyHNp7SXNwVjD1I/SDmP7 lyvMrzyLdir0Z9aTbqmI96pBVsAFLhTMKxchxM1ThdmHbyKvJlW1ggC//7WRFjN8 u6zqR6U8J2R9fgl9e3P8OLrD3F6SDhBANh1ue0B4bJS3WTu+S9V64IUhClGw73R6 b8cZM+fLGWlKOZcIWnIFcWI93898Unv6LG7eiWe2pYjzr3tpjPN2lpLoZ/hGnV3c vZpmkXhWUInHxp1Ii+e2hFW6VzfVhHKmMIExS3uEnZmTUXitoEW4EwyM+yjPhc25 AQ0EWH6YjwEIAMaWukw1naQLKK5BA/f5ygMf8xyAOQkX9cE6HPtnUXVq3VcyDyhq /A3LGbgLnakUlJ4HU4sP/AZir6CPxXimrpeuZ9dBsMHm5I4uEdG07CSA6VBPeNqA JstCZc8ZCQq4CRSr179qo/WqjcN/Bn04eLOIh1l/7mloxpoP9IriomhzfjrLYMdY F7gdjS9CbVPucxVRuinxBt0TS5wZc5kwdV7jpaPGhh2cJV9igQgo+V5HtweUhB7M wX+pBak65/8M/LxLuumCl3MfcdHiUHOcSdOHDMxqelf6Zg3B4AixjJAz9c52Vlrj W3X7OBi0XVsBQOZ6QefqzP20CHIlvJmK8q8AEQEAAYkBHwQYAQgACQUCWH6YjwIb DAAKCRDpiLSe54p/sVmKCACcoHKDG0wSKedb3TQREPGfGK0d6MAnx1BBStsvw5Mx qhGemuq4s4yPJCvjRCy6/pAoEupLO8pBbQRKgUM594jhoG9yWu+YfhB/OQ+ISBzV P74ti8xGUZaW6n62o31H0fO+zOO8hSRkDNsGuva77btKzmBu+3JRuLS5/+h09a+1 ukAfMv27KmRimkJ/UtCZrU+ZLfBaYREeweqZLKyssQFTIFAAlA/F04ybbf42q/3C 5NCJg1aDxJ1m7ATIAmZOLzrRZS4GVZ8fyAb/rvlPI11nEBlBR9xIWJTy6s4TCE+W wm9v1h9e5HassJDaJkF4Ish/5X/58uWp/j833Xfq0quR =1dPu -----END PGP PUBLIC KEY BLOCK----- 9. Have someone already on the private list, or at least someone else who has been active on oss-security for years but is not affiliated with your distro nor your organization, vouch for at least one of the people requesting membership on behalf of your distro (then that one vouched-for person will be able to vouch for others on your team, in case you'd like multiple people subscribed) I do not know if I have contacts that are already on the linux-distros list.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.