oss-sec mailing list archives
Re: Closed list
From: Solar Designer <solar () openwall com>
Date: Sat, 30 Apr 2011 19:26:14 +0400
Hello Chandan, all - On Tue, Apr 26, 2011 at 10:03:58AM -0700, Oracle Security Alerts wrote:
Please subscribe us to the new list. I'll send specific emails and keys in a separate mail.
I've received a message off-list with the address to subscribe and PGP key info. I've just replied to that message. I see several issues with adding Oracle to the new list, see below. Does Oracle start to prepare security updates for Oracle Enterprise Linux before or after Red Hat releases theirs? If it's after, then there's too little need for Oracle to have advance notification. If it's before, then I think the folks in here would like more detail on your approach, and what components this applies to. Is it maybe just the Linux kernel, with the rest being rebuilds of Red Hat's SRPMs? These are merely questions from someone who doesn't know (me). I think some others in here would have similar questions, and I'm afraid it's my responsibility to ask them (since no one else has dared to, yet...) (Similar questions were raised for CentOS.)
We were members of vendor-sec as Sun Microsystems team, and now represent all of Oracle software and hardware products including but not limited to Oracle Enterprise Linux, Solaris, Java, MySQL and Open Office.
Of these, only Oracle Enterprise Linux may qualify you for the list that has been setup so far. As you say, Oracle got onto vendor-sec through the acquisition of Sun. Although formally this satisfies "must be a vendor-sec member" for the initial seed membership of the new list, it does feel like a bypass of the intent of this requirement. Oracle was never actually accepted to vendor-sec for Oracle Enterprise Linux. Then, the only @oracle.com person currently on oss-security (judging by the e-mail addresses) appears not to be involved with Oracle Enterprise Linux specifically. The person I was asked to subscribe is not publicly known (according to a Google web search I did) for any Oracle Enterprise Linux work. I could be wrong, but based on these findings my feeling is that Oracle does not pay much attention to Linux issues being publicly disclosed in here. Thus, I see little need for Oracle to have advance notification of other Linux issues.
We found vendor-sec very useful in early identification of vulnerabilities not only in free and open source code used in our products, but also in common protocols, file formats or kernel modules/software with similar functionality or logic.
These are some great reasons for you to be on public lists such as oss-security. This is also a reason for us to avoid unnecessarily discussing general issues in private. We'll try to do better with the new list(s) - that is, if I see an issue unnecessarily being discussed in private, I am going to insist on it being brought to a suitable public list instead. I hope others on the list will also watch for such unnecessarily-private topics. Finally, it is a reason to publish the closed lists' archives with a delay, which is something I am going to revisit.
All our security advisories are freely available.
Great. Can you please add your info to the following wiki pages? - http://oss-security.openwall.org/wiki/vendors http://oss-security.openwall.org/wiki/distro-patches This will be useful regardless of whether you're subscribed or not, and to which lists. Thanks, Alexander
Current thread:
- Re: Closed list, (continued)
- Re: Closed list zardoz (Apr 01)
- Re: Closed list Solar Designer (Apr 01)
- Re: Closed list Stefan Behte (Apr 06)
- Re: Closed list Solar Designer (Apr 12)
- Re: Closed list Mike O'Connor (Apr 13)
- Re: Closed list Tomas Hoger (Apr 14)
- Re: Closed list Josh Bressers (Apr 14)
- Re: Closed list akuster (Apr 14)
- Re: Closed list Patrick J. Volkerding (Apr 14)
- Re: Closed list Oracle Security Alerts (Apr 26)
- Re: Closed list Solar Designer (Apr 30)
- Re: Closed list Tomas Hoger (May 17)
- Re: Closed list Oracle Security Alerts (May 17)
- Re: Closed list Solar Designer (Jun 01)
- Re: Closed list Tomas Hoger (Jun 16)
- Re: Closed list Tomas Hoger (Jun 16)
- Re: Closed list Solar Designer (Apr 30)
- Re: Closed list zardoz (Apr 01)