Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Aug 2021 14:31:35 +0200
From: Solar Designer <>
Subject: Re: Pop!_OS Membership to linux-distros list

Hi Jeremy,

I'm sorry about the delay.  I was hoping someone else would chime in.

On Wed, Aug 04, 2021 at 09:59:02AM -0600, Jeremy Soller wrote:
> On Tue, Jul 27, 2021, at 11:59 AM, Solar Designer wrote:
> > On Tue, Jul 20, 2021 at 02:23:26PM -0600, Jeremy Soller wrote:
> > > Over the history of Pop!_OS, dating back to 2017, we have maintained critical
> > > packages and applied security patches soon after they are made public. Our
> > > membership to this list would significantly help our users stay secure by
> > > allowing us to prepare and test security updates ahead of public disclosure.
> > > Please see our GitHub organization for more evidence:
> > 
> > I think it'd be most convincing for us all to see specific examples of
> > you having "applied security patches soon after they are made public",
> > with dates public vs. fixed in Pop!_OS.
> How many examples should I provide? The last security patch I did was for
> systemd. We have patches on systemd which means we cannot use the Ubuntu
> version directly, so when, for example, CVE-2020-13529 and CVE-2021-33910
> patches arrived in Ubuntu 21.04 on July 20, 2021, I applied them to our own
> fork of systemd for Pop!_OS 21.04 that same day:
> -
> -
> Pop!_OS needs to participate in linux-distros to ensure we have patches ready
> for our forks of packages that do not come straight from Ubuntu. I listed the
> relevant packages in my original email, many of which we have had to do
> security updates for after some embargo lifts, with very little time to prepare.

There's no specific requirement on the number of examples.  The above
looks reasonable to me.

> > > 7. Be able and willing to contribute back (see above), preferably in specific
> > > ways announced in advance (so that you're responsible for a specific area and
> > > so that we know what to expect from which member), and demonstrate actual
> > > contributions once you've been a member for a while
> > > 
> > > I am able and willing to contribute back.
> > 
> > Please choose a specific task (or several).
> > 
> > I suggest the statistics task:
> > 
> > "13. Keep track of per-report and per-issue handling and disclosure
> > timelines (at least times of notification of the private list and of
> > actual public disclosure), at regular intervals produce and share
> > statistics (most notably, the average embargo duration) as well as the
> > raw data (except on issues that are still under embargo) by posting to
> > oss-security - primary: Amazon, backup: Gentoo"
> > 
> > As you can see, it is currently assigned to Amazon and Gentoo, but as
> > far as I can see neither is actually handling it now, so I'd like to
> > formally unassign it from them and have another distro handle it.
> That would be fine, but I would be curious if there is some reason they have
> not been fulfilling this task.

I cannot speak for them, but the task does require some effort on every
issue, and perhaps the specific people are just not putting the effort.
As you can see, this was different in 2017-2019 when Gentoo had a person
actually working on this task.

Besides statistics per se, an important desirable side-effect of working
on this task is that you'd end up double-checking that every issue does
in fact get reported to oss-security.
> > > 9. Have someone already on the private list, or at least someone else who has
> > > been active on oss-security for years but is not affiliated with your distro
> > > nor your organization, vouch for at least one of the people requesting
> > > membership on behalf of your distro (then that one vouched-for person will be
> > > able to vouch for others on your team, in case you'd like multiple people
> > > subscribed)
> > > 
> > > I do not know if I have contacts that are already on the linux-distros list.
> > 
> > It can also be "someone else who has been active on oss-security for
> > years but is not affiliated".  Anyone?
> I believe Tyler Hicks is willing to do this.

Like he says, he'd "be a lot more comfortable if someone could provide a
stronger vouch."

However, overall I think Pop!_OS and you personally (also considering
your work on Redox OS) do meet the requirements.  So let's proceed with
the subscription.  Please e-mail me off-list with your e-mail address
and PGP key to use.  Please also confirm in this thread that we're
getting the statistics task assigned to you, and we can discuss some
specifics on what's to be done on it.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.