oss-sec mailing list archives
Vendor-sec hosting and future of closed lists
From: R P Herrold <herrold () owlriver com>
Date: Tue, 8 Mar 2011 11:19:43 -0500 (EST)
On Tue, 8 Mar 2011, Josh Bressers wrote: prior content, not from Josh:
We would also be willing to host and maintain a closed vendor-sec style mailing list like the previous one with the only condition for member list to be public (not necessarily the individual contact names but at least the entities represented).
I guess I do not see the reason for such a listing. The list that Josh put together from memory does not include the distributions I represented and coordinated vendor-sec matters for. Having such a list just offers better target identification of those NOT on the list and thus may lag a CRD, no? How is this beneficial?
There is also the option of recreating an old style list. This is a bit more ad-hoc and Openwall has already offered to host such a thing (Solar has quite a bit already in place). I do favor this a bit, as it would make a nice compliment to oss-security
I favor such as well - I posted an offer to host such pro bono as a neutral vendor (centos inherently trails), but it was caught up in the trashing of the old vendor-sec host and so did not ever pass the old list. Openwall's offer is fine by me as well. I mentioned adding opportunistic SSL/TLS transport on the mailserver, to cut out casual MitM eavesdropping
1) Membership management is a pain. Adding new people is annoying and nobody ever leaves. 2) Nobody is in charge, which means sometimes issues can get ignored or forgotten (also see #1)
These track together -- mailman or such will cull dead email accounts that bounce of course, but that is a pretty mild form of management. Absent a charter to somehow mandate some 'contribution' to remain on a list, there is not a clear rule to 'weed' the list. But is this really needed except from some idea of avoiding 'too many eyes'? Frankly running a distribution is work and for non-commercial distributions, unpaid work
If a criteria for remaining on the list is needed, it is needed to make sure that eyes are still reading the content -- handle that with a periodic 'tracer' piece, and drop non-responders
-- Russ herrold (centos, cAos)
Current thread:
- Re: Vendor-sec hosting and future of closed lists, (continued)
- Re: Vendor-sec hosting and future of closed lists Josh Bressers (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Solar Designer (Mar 03)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 05)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 05)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 06)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 05)
- Re: Vendor-sec hosting and future of closed lists Matthieu Herrb (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 07)
- Re: Vendor-sec hosting and future of closed lists Josh Bressers (Mar 08)
- Vendor-sec hosting and future of closed lists R P Herrold (Mar 08)
- Re: Vendor-sec hosting and future of closed lists akuster (Mar 08)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 08)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 14)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Art Manion (Mar 15)