Re: Closed list

[akuster <akuster () mvista com>]

On 04/11/2011 09:57 AM, Josh Bressers wrote:
> ----- Original Message -----
> > Postponed. I'd like to see any support for you getting onto the Linux
> > distros security contacts list, with reasoning, or/and any other
> > suggestions on what to do in this case. Josh - what do you think (as
> > someone who advocated the setup of a vendor-sec replacement)?
>
> My initial thought is that a vendor without public advisories is a
> liability.

Then we has been a liability to vendor-sec ever since we first got
accepted way-back-when. My apologies.

> I don't want to get into the politics of not publishing your advisories,

(I don't either)

> but at the same time, public information such as this is all we have to
> measure if a vendor is using the information at hand.

Agreed.

> I'm happy to draw a line in the sand and make public advisories a mandatory
> requirement. If anyone disagrees, please speak up. This is my personal
> opinion, other viewpoints are welcome.

So publicly available advisories are a requirement.  What about access
to the patches?

Is there somewhere I can point my management to that defines these new
requirements or is this too soon?

Mahalo,
Armin