Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 23 Jan 2024 01:42:05 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: announcing sponsorship; distros list statistics for 2023

Hi,

Here's an update:

All components of the oss-security and (linux-)distros infrastructure,
including not only the mailing lists but also the web archive and wiki,
have recently been migrated to new hosting location in the Netherlands.
Due to this location and the proximity to AMS-IX, the websites should
now feel a bit faster from many parts of the world.

This migration was done in several stages, and (due to low DNS RR TTLs
and old resources staying up for a while) should have been transparent.
I anticipate some further transparent, behind-the-scenes changes this
year, such as for better preparedness to restore resources onto backup
infrastructure within a day if we ever have to.

Some further updates inline:

On Mon, Nov 06, 2023 at 09:26:21PM +0100, Solar Designer wrote:
> After 15+ years of being a 100% volunteer effort, Openwall's maintenance
> of oss-security and (linux-)distros is finally sponsored by the OpenSSF,
> a project of the Linux Foundation.  This sponsorship does not provide
> the Linux Foundation with the ability to set policies for community
> resources managed by Openwall.  I am grateful for the support, which
> will help ensure continued operation of these resources on a new level
> while retaining independence.
> 
> As part of the sponsored effort, Openwall (currently me) took
> responsibility for the "statistics" contributing-back task:
> 
> "Keep track of per-report and per-issue handling and disclosure timelines
> (at least times of notification of (linux-)distros and of public
> disclosure on oss-security), at regular intervals produce and share
> statistics (most notably, the average embargo duration) as well as the
> input data (except on issues that are still under embargo) by posting to
> oss-security - primary: Openwall, backup: vacant"
> 
> At different times, this time-consuming task was handled by Gentoo and
> later by Amazon (thanks!) but was lately left unhandled.  Due to the
> sponsorship, I've now retroactively produced statistics for 2023 so far:
> 
> https://oss-security.openwall.org/wiki/mailing-lists/distros/stats/2023

The statistics above now cover all of 2023, with 93 total reports.

> As expected, this uncovered a few mishandled issues, which I've recently
> pushed out to oss-security.  That's why there are several reports (out
> of a total of 86) with embargo duration way in excess of the allowed
> maximum.  This inflated the average duration accordingly, but the median
> stayed sane at 7 days.  This is also why we need to, and now will, take
> care of the statistics task in real time, not only retroactively, so
> that any mishandling is identified and corrected promptly.

No further issues were mishandled like that.

> Also for the first time (something I haven't seen Gentoo and Amazon do)
> included are the source files I manually created based on review of the
> e-mail threads and external resources referenced from there.  These
> files were processed with the also included (and permissively licensed)
> Perl script I wrote, so that others can reproduce the calculations or
> easily process the data differently.

I continued to add these, so we now have all 12 of these for 2023.

Also, the headers-only archives of the private lists last announced in:

https://www.openwall.com/lists/oss-security/2023/10/15/3

have since been updated to cover the period through the end of 2023.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.