oss-sec mailing list archives

Re: Closed list

From: Solar Designer <solar () openwall com>
Date: Wed, 1 Jun 2011 21:51:34 +0400

Hi Chandan and all,

I've just subscribed Chandan to the Linux distros list (for Oracle
Linux), although as a community member I have reservations about that.
I was hoping to see more comments from others in the community.

I've included some comments of my own below:

On Tue, May 17, 2011 at 10:43:10AM -0700, Oracle Security Alerts wrote:

If we know about vulnerabilities in advance, our fixing process
starts before Red Hat releases their updates. It starts with
assessment of issue, reviewing the fix for completeness and
applicability to our kernel and components we maintain or provide in
our Linux distribution. See
http://www.oracle.com/us/technologies/linux/026042.htm
or http://oss.oracle.com/


This makes sense.

Unfortunately, since Chandan is not on Oracle's Linux team and since
Oracle Linux includes pretty much "everything" that Linux distros do, my
concern is that Chandan will need to forward almost every message to
others at Oracle.  While this would be very helpful for occasional
messages (forward relevant messages only and to the right people only),
if done for almost every message it feels like it'd be better to have
some Oracle Linux folks subscribed directly, like we do for other distros.

But apparently the Oracle Linux folks don't really care - at least this
is the impression I got from this discussion thread so far, and I'd be
happy to be proven wrong.  Sure, it is possible to read oss-security
other than by being subscribed to the mailing list, and sure it is
possible to receive forwards from Chandan internally, but to me this
does show lack of interest.  Again, I'd be happy to be convinced that
this is not the case - such as by Oracle's active participation on the
new list and on oss-security, discussing Linux specific issues (beyond
and besides list membership).

We have a large user base to protect. We do get reports of
vulnerabilities in our Linux distribution which we may want to fix
in collaboration with rest of the community.


I'd be happy to see this happen.  For low severity issues, please post
to oss-security right away.

Oracle was never actually accepted to vendor-sec for Oracle Enterprise Linux.


Not correct. From archives of vendor-sec I see there had been at
least two representatives from Oracle Linux at vendor-sec and we had
membership ever since Oracle started distributing Linux.

This discussion was held whenever they requested to subscribe to
vendor-sec and it was concluded that while we may be redistributing
some packages, Oracle Linux is a distro in its own right.


This is semi-consistent with what Tomas Hoger wrote:

"IIRC, Oracle was subscribed to v-s more than once - the "Sun" exploder
that was subscribed for quite a while (originally as Solaris vendor
probably), and individual OEL representative, added around the time
Oracle was in the process of acquiring Sun and there was no single
security contact for all products yet."

However, I don't see anyone from Oracle on what was given to me as the
final vendor-sec members list.  There's Sun's exploder, but no Oracle,
nor any Oracle person.

I recall that Joel Becker of Oracle had briefly contributed both to
vendor-sec and to oss-security discussions (thanks!), e.g. here:

http://www.openwall.com/lists/oss-security/2010/09/30/2

I don't recall if Joel was on vendor-sec (perhaps he was subscribed for
a while, then he asked to unsubscribe? just a guess), but I don't see
him on the final members list, and he has since unsubscribed from
oss-security (which may or may not indicate anything).

It would make more sense to me to subscribe Joel for Oracle Linux
(unless he's in fact not involved in that anymore, which I have no idea
of), and Chandan for Solaris and other ex-Sun products (to a proper
list, once/if one is set up).

Arguably, it's none of my business to suggest a distro vendor who to
subscribe, and as list admin I accept Oracle's decision for Chandan to
represent Oracle Linux.  I am just saying that as a community member I
would be more convinced of Oracle's interest in and ability to handle
advance notifications of security issues in Oracle Linux specifically if
a Linux person were being subscribed to that list (and participated on
oss-security as well, like Joel briefly did).

Then, the only @oracle.com person currently on oss-security (judging by
the e-mail addresses) appears not to be involved with Oracle Enterprise
Linux specifically.


There are other ways to subscribe to this list than email. See:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security


Sure.

Can you please add your info to the following wiki pages?
http://oss-security.openwall.org/wiki/vendors


Done,


Thank you!

If you can, please also add a section to:

http://oss-security.openwall.org/wiki/distro-patches

which would help other distros find your source code patches for
possible reuse.

Alexander

Current thread:

Re: Closed list, (continued)
- - Re: Closed list Solar Designer (Apr 12)
- Re: Closed list Mike O'Connor (Apr 13)
  - Re: Closed list Tomas Hoger (Apr 14)
  - Re: Closed list Josh Bressers (Apr 14)
  - Re: Closed list akuster (Apr 14)
    - Re: Closed list Patrick J. Volkerding (Apr 14)
- Re: Closed list Oracle Security Alerts (Apr 26)
  - Re: Closed list Solar Designer (Apr 30)
    - Re: Closed list Tomas Hoger (May 17)
    - Re: Closed list Oracle Security Alerts (May 17)
    - Re: Closed list Solar Designer (Jun 01)
    - Re: Closed list Tomas Hoger (Jun 16)
    - Re: Closed list Tomas Hoger (Jun 16)