Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Dec 2023 19:44:57 +0100
From: Darya Malyavkina <dmalyavkina@...udlinux.com>
To: Jonathan Wright <jonathan@...alinux.org>
Cc: oss-security@...ts.openwall.com, Andrew Lukoshko <alukoshko@...alinux.org>, 
	benny Vasquez <benny@...alinux.org>, Igor Seletskiy <iseletsk@...alinux.org>, 
	Jack Aboutboul <jack@...alinux.org>
Subject: Re: AlmaLinux Distros List Application

Hello,

I'm Darya Malyavkina, Director of Release Engineering at CloudLinux. I
vouch for Jonathan Wright and Andrew Lukoshko

On Tue, Dec 12, 2023 at 9:35 PM Jonathan Wright <jonathan@...alinux.org>
wrote:

> I’m submitting this application on behalf of the AlmaLinux OS Foundation.
>
>
> Myself (Jonathan Wright) and Andrew Lukoshko, our lead architect, would be
> joining if approved.
>
>
>    1.
>
>    Be an actively maintained Unix-like operating system distro with
>    substantial use of Open Source components
>    1.
>
>       We are actively maintained and have released 4 minor versions this
>       year (8.8, 8.9, 9.2, and 9.3) along with small updates within the minor
>       versions, generally at least a few updates per week.
>       2.
>
>    Have a userbase not limited to your own organization
>    1.
>
>       Our public mirror system alone serves 750k unique systems weekly,
>       and is used worldwide for a variety of things.
>       3.
>
>    Have a publicly verifiable track record, dating back at least 1 year
>    and continuing to present day, of fixing security issues (including some
>    that had been handled on (linux-)distros, meaning that membership would
>    have been relevant to you) and releasing the fixes within 10 days (and
>    preferably much less than that) of the issues being made public (if it
>    takes you ages to fix an issue, your users wouldn't substantially benefit
>    from the additional time, often around 7 days and sometimes up to 14 days,
>    that list membership could give you)
>    1.
>
>       Historically we have been following Red Hat releases within 1-2
>       days, and since our shift in June away from following Red Hat we have been
>       able to release some security updates ahead of Red Hat (Iperf3 patch and
>       AMD microcode/kernel patches specifically). We would not be beholden to
>       CentOS Stream updates for our patch releases.
>       4.
>
>    Not be (only) downstream or a rebuild of another distro (or else we
>    need convincing additional justification of how the list membership would
>    enable you to release fixes sooner, presumably not relying on the upstream
>    distro having released their fixes first?)
>    1.
>
>       While we've historically done that (which is why it didn’t make
>       sense to join earlier), we shifted in June to our own OS that is
>       ABI-compatible with RHEL.
>       5.
>
>    Be a participant and preferably an active contributor in relevant
>    public communities (most notably, if you're not watching for issues being
>    made public on oss-security, which are a superset of those that had been
>    handled on (linux-)distros, then there's no valid reason for you to be on
>    (linux-)distros)
>    1.
>
>       we have many participants on the oss-security list.
>       6.
>
>    Accept the list policy (see above)
>    1.
>
>       accepted
>       7.
>
>    Be able and willing to contribute back (see above), preferably in
>    specific ways announced in advance (so that you're responsible for a
>    specific area and so that we know what to expect from which member), and
>    demonstrate actual contributions once you've been a member for a while
>    1.
>
>       Immediately we can begin to help reporters ensure their reports are
>       following the requirements and are confirmed/replied to. As we advance our
>       understanding of how things operate, and the need arises, we can expand our
>       work into contributing more deeply.
>       8.
>
>    Be able and willing to handle PGP-encrypted e-mail
>    1.
>
>       done.
>       9.
>
>    Have someone already on the private list, or at least someone else who
>    has been active on oss-security for years but is not affiliated with your
>    distro nor your organization, vouch for at least one of the people
>    requesting membership on behalf of your distro (then that one vouched-for
>    person will be able to vouch for others on your team, in case you'd like
>    multiple people subscribed)
>    1.
>
>       Darya Malyavkina from CloudLinux will vouch for us.
>
>
> --
> Jonathan Wright
> AlmaLinux Foundation
> Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>
>


-- 
Best regards,
Darya Malyavkina
Director of Release Engineering at CloudLinux

CloudLinux.com <http://cloudlinux.com/>  |  KernelCare.com
<http://kernelcare.com/>  |  Imunify360 <http://imunify360.com/>  |
AlmaLinux <https://almalinux.org/>

helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
Follow twitter.com/CloudLinuxOS for technical updates

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.