Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Feb 2008 09:06:09 -0700
From: Vincent Danen <>
Subject: Re: "going public"

* [2008-02-18 10:23:03 +0100] Sebastian Krahmer wrote:

>> The purpose is to discuss cross-vendor (thus the name) issues.  This is
>> not limited to security problems, and indeed it was meant as an addition
>> to vendor-sec to be able to discuss other issues as well - such as license
>> problems with upstream cdrecord or lack of upstream maintenance of cron.
>> Things like that.
>> > 3. vendors are only willing to post private patches if its a closed list
>> >    and they know who is subscribed
>> As soon as vendors are releasing their product the patches cannot be
>> "private" anymore, GPL forbids this, and it's the most frequently used
>> license.
>They are private until CRD. And thats the point. That xvendor
>can become something like a 2nd level cache of vendor-sec.

Yeah, but you would use vendor-sec for that.  I think it's quite
intentional that xvendor has no mention of "security" in it (unlike
oss-security, for instance).

As was previously stated, this is a cross-vendor discussion list for
things that affect all distros; Solar used a glibc bug as an example
before.  Not necessarily security-related, but affects most of us.

I think xvendor is less related to vendor-sec than oss-security would
be.  It might be prudent to look at this way:

- vendor-sec: top level security-only private list (embargoed and
	non-public stuff would go here)
- oss-security: mid-level security-only semi-public list (public
	discussion on security issues goes here)
- xvendor: bottom-level non-security public list (public discussion on
	cross-vendor non-security issues goes here)

I feel bad describing xvendor as a "bottom-level" list, but if you look
at in terms of security (which you're obviously doing) then I think it's
an apt description.  xvendor should not be considered security-related
at all and, I think, security topics would largely be off-topic on this
list (that's what oss-security is for).

Vincent Danen @

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the xvendor mailing list charter.