Date: Mon, 18 Feb 2008 09:06:09 -0700 From: Vincent Danen <vdanen@...sec.ca> To: xvendor@...ts.openwall.com Subject: Re: "going public" * [2008-02-18 10:23:03 +0100] Sebastian Krahmer wrote: >> The purpose is to discuss cross-vendor (thus the name) issues. This is >> not limited to security problems, and indeed it was meant as an addition >> to vendor-sec to be able to discuss other issues as well - such as license >> problems with upstream cdrecord or lack of upstream maintenance of cron. >> Things like that. >> >> > 3. vendors are only willing to post private patches if its a closed list >> > and they know who is subscribed >> >> As soon as vendors are releasing their product the patches cannot be >> "private" anymore, GPL forbids this, and it's the most frequently used >> license. >They are private until CRD. And thats the point. That xvendor >can become something like a 2nd level cache of vendor-sec. Yeah, but you would use vendor-sec for that. I think it's quite intentional that xvendor has no mention of "security" in it (unlike oss-security, for instance). As was previously stated, this is a cross-vendor discussion list for things that affect all distros; Solar used a glibc bug as an example before. Not necessarily security-related, but affects most of us. I think xvendor is less related to vendor-sec than oss-security would be. It might be prudent to look at this way: - vendor-sec: top level security-only private list (embargoed and non-public stuff would go here) - oss-security: mid-level security-only semi-public list (public discussion on security issues goes here) - xvendor: bottom-level non-security public list (public discussion on cross-vendor non-security issues goes here) I feel bad describing xvendor as a "bottom-level" list, but if you look at in terms of security (which you're obviously doing) then I think it's an apt description. xvendor should not be considered security-related at all and, I think, security topics would largely be off-topic on this list (that's what oss-security is for). -- Vincent Danen @ http://linsec.ca/ Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the xvendor mailing list charter.