Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Oct 2023 19:53:21 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list membership application - CIQ Rocky Linux Security Team

Hi,

Thank you all for helping review this application and for commenting on
other related issues.

I'll proceed to list CIQ Rocky Linux Security Team as a linux-distros
member, and will assume that my own subscription is not only as list
admin, but also as a representative of this team.

All messages posted to this thread so far were accepted by moderators -
nothing was rejected.  My summary is as follows, in order first messages
were posted by each person:

Solar Designer (on linux-distros as list admin):

Submitted the application, implying that it passes own assessment of it
meeting the criteria, but affiliated with the proposed new member.

Then addressed Neal Gompa's criticism below.

Vegard Nossum (on linux-distros for Oracle Linux):

"As a current distros member, I see no problem with this whatsoever and
I appreciate the transparency."

I assume this satisfies the criterion that "someone already on the
private list, or at least someone else who has been active on
oss-security for years but is not affiliated" "vouch for at least one of
the people requesting membership".

Neal Gompa ("doing work in Fedora, Mageia, and openSUSE"):

"I do not believe that Rocky Linux qualifies for it."

Rationale given was:
1. Timely rebuilds don't "indicate that Rocky/CIQ can respond
effectively when you have a craft updates from scratch".
2. Rebuilds or errata republishing were not always timely over 2 years.
3. SIGs "cannot count because they are intended to be public community
projects" and "cannot obey embargo regulations."
4. Distro is pure-rebuild, "which I believe summarily disqualifies it."
5. CloudLinux and CentOS precedents were different.
6. "I do not feel that you alone is sufficient"

I addressed it as follows:
1. Timely rebuilds show "that the project cares and is long-term" and
"alone satisfy the criterion's current wording."  Statement that own
updates were also being made for LTS branches and public information on
recent own updates via the SIG demonstrate "capability, infrastructure
setup, and intent".  This is a separate criterion, which does not
require a long-term track record.  So both criteria are satisfied.
2. There's no requirement "that 100% of updates and publications must
be quick.  Things do go wrong sometimes, and updates for lower severity
issues are often reasonably delayed".  (With further clarifications.)
3. CIQ LTS branches alone would have been sufficient.  SIGs also do
count as the team "is to provide security maintenance for these, and via
the Security SIG also optional mitigations and early fixes for Rocky
Linux."  And yes, this can be done within list rules despite of SIGs
"intended to be public community projects".  (With explanation of how.)
4. The existence of CIQ LTS branches and Rocky Linux SIGs changes that.
5. Fair enough.  "what I described above is sufficient for the purpose
of linux-distros membership."
6. Of course not - the new member also meets the criteria.

Martin Hecht ("Not being member of any distribution, but a long-time
subscriber"):

"I give my vote for Alexander as a representative of CIQ Rocky Linux
Security Team on linux-distros list."

Addressed Neal Gompa's criticism:
1. 2. Provided examples using the recent glibc updates.  "accusing Rocky
being late in providing packages at least is not valid in general imho.
At least important ones, like this one, seem to arrive rather quickly."
3, 4. "the point here is "*not only* being a rebuild of another distro".
So, their engagement with SIG should already be a valid add-on to be
honored."  "CIQ offers LTS branches [...] clearly distinguishes them
from a "pure distro rebuild"."

Jeremy Stanley (OpenStack, long-term oss-security contributor) and
Morten Linderud (Arch Linux):

3. Provided additional examples of "public community projects" that do
"obey embargo", further refuting Neal Gompa's point.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.