Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 1 Oct 2023 15:02:23 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: linux-distros list membership application - CIQ Rocky Linux Security Team

Hi,

Rocky Linux is a prominent Enterprise Linux distribution in the spirit
of original goals of the CentOS project, founded by Gregory Kurtzer, who
had also co-founded CentOS and is founder and CEO of the primary
corporate sponsor of the Rocky Linux project, CIQ:

https://rockylinux.org
https://ciq.com

Besides heavily sponsoring Rocky Linux (yet without being its owner),
CIQ also has its own Open Source and commercial offerings:

"Our software stack consists of Rocky Linux the CentOS replacement,
Apptainer the container solution of choice for HPC, Warewulf a
provisioning and cluster management solution, and Fuzzball our
next-generation performance computing platform that is multi-cloud,
multi-site, multi-cluster, and multi-node."

Most relevant here, CIQ maintains LTS branches of Rocky Linux point
releases (such as of 8.6 when current is 8.8), providing security
updates to those of its customers who wish to otherwise stay at a given
point release.

Further, the Rocky Linux project isn't limited to being a resurrection
of CentOS (its packages being bug-for-bug compatible with RHEL), but
also has a number of Special Interest Groups (SIGs) offering additional
package repositories:

https://wiki.rockylinux.org/special_interest_groups/

I have recently joined this effort and we're now getting the Security
SIG going.  This means an optional repository of extra packages for
Enterprise Linux distros adding security features and even overriding
some packages with hardened alternatives.  We already have a few
packages of both kinds, and many more are planned.  If anyone else wants
to join this effort - in any capacity including development,
maintenance, testing, documentation, or something else - let me know!

This application is for CIQ Rocky Linux Security Team, which means CIQ
employees, (sub)contractors, and/or Rocky Linux project contributors
trusted and tasked with producing security updates for Rocky Linux,
CIQ's LTS branches of Rocky Linux, and possibly CIQ's other offerings
building upon Rocky Linux.

I address the 9 membership criteria below:

> Be an actively maintained Unix-like operating system distro with substantial use of Open Source components

Rocky Linux has been actively maintained since its release in 2021, and
is an Open Source project.  Many of CIQ's additional offerings are also
Open Source projects on their own.

> Have a userbase not limited to your own organization

Rocky Linux has been publicly available since its release in 2021, and
per EPEL repository access statistics has gained a userbase on par with
other major EL distributions:

https://ciq.com/blog/tracking-rocky-linux-growth-using-fedoras-epel-project/
https://brentk.io/thoughts/analysis/epel-distribution-statistics.html
https://rocky-stats.tiuxo.com

Further, CIQ has its customer base for Rocky Linux support, including
for the LTS branches.

> Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing security issues (including some that had been handled on (linux-)distros, meaning that membership would have been relevant to you) and releasing the fixes within 10 days (and preferably much less than that) of the issues being made public (if it takes you ages to fix an issue, your users wouldn't substantially benefit from the additional time, often around 7 days and sometimes up to 14 days, that list membership could give you)

The publicly verifiable track record currently consists of timely
rebuild and re-release of RHEL security update packages and security
advisories, as published here:

https://errata.rockylinux.org

Not currently verifiable publicly, but Gregory further tells me:

"We've been doing LTS privately to our customers for over a year now.
This means we maintain security fixes for customers who need long term
support for point releases."

> Not be (only) downstream or a rebuild of another distro (or else we need convincing additional justification of how the list membership would enable you to release fixes sooner, presumably not relying on the upstream distro having released their fixes first?)

Besides being a "downstream or a rebuild of another distro", CIQ has its
LTS branches and Rocky Linux has its additional and replacement packages
via the SIGs.  Security maintenance for these should be provided by CIQ
and Rocky Linux.

Some security issues in upstream packages may be mitigated or fixed by
pushing "security override" packages via CIQ's customer-facing repos and
the Security SIG repos, without waiting on upstream distro's fixes and
for issues or point releases where no upstream fixes are expected.

Related previously accepted membership application (precedent) is
CloudLinux's, which is now perhaps best known for AlmaLinux, another
prominent EL distribution:

http://www.openwall.com/lists/oss-security/2017/07/02/2

Also, CentOS was once a member.

> Be a participant and preferably an active contributor in relevant public communities (most notably, if you're not watching for issues being made public on oss-security, which are a superset of those that had been handled on (linux-)distros, then there's no valid reason for you to be on (linux-)distros)

I have been a participant on oss-security since its inception, and have
made relevant contributions.  Others with CIQ and Rocky Linux are also
involved in various communities, and we'll ensure that the team to be
subscribed to linux-distros isn't blind to publicly disclosed issues.

> Accept the list policy

CIQ Rocky Linux Security Team accepts the linux-distros list policy.

> Be able and willing to contribute back, preferably in specific ways announced in advance (so that you're responsible for a specific area and so that we know what to expect from which member), and demonstrate actual contributions once you've been a member for a while

I've been contributing to oss-security and linux-distros since their
inception.  We'll also look for additional ways CIQ and/or Rocky Linux
can contribute, depending on expertise, interests, other related duties,
and availability of specific people we may add.

> Be able and willing to handle PGP-encrypted e-mail

Of course.  I am already subscribed with my PGP key.

My current subscription is as list admin and it also was for Openwall.
Openwall no longer qualifies for linux-distros membership as a distro
since we've effectively EOL'ed the Openwall GNU/*/Linux distro (we still
do maintain many other projects, but not a full distro).  However, I
and/or someone else from Openwall would have needed to stay subscribed
as list admin anyway.

With my new Rocky Linux role, my subscription's purpose will once again
double as list admin and for the distro.

> Have someone already on the private list, or at least someone else who has been active on oss-security for years but is not affiliated with your distro nor your organization, vouch for at least one of the people requesting membership on behalf of your distro (then that one vouched-for person will be able to vouch for others on your team, in case you'd like multiple people subscribed)

I suppose someone in here can vouch for me.  Please do - ideally, if you
also have something else to say on this application in the same message,
not to spam list members with messages solely to meet this formality.

I may then get additional CIQ and/or Rocky Linux people subscribed,
effectively vouching for them, after making sure they understand and
accept the list policy.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.