Re: *BSD security contacts

[Solar Designer <solar () openwall com>]

On Thu, Jul 21, 2011 at 10:25:07AM -0500, Tim Zingelman wrote:
> On Tue, Jul 19, 2011 at 9:55 AM, Solar Designer <solar () openwall com> wrote:
> > On Tue, Jul 19, 2011 at 09:28:51AM -0500, Tim Zingelman wrote:
> > > p.s. I at least would be very much in support of a bsd distro's
> > > restricted security mailing list if you were to create one.
> >
> > Sounds good.  Is anyone else interested in that as well?  Also, not
> > being involved with a *BSD, perhaps I should not be on that list, but
> > this brings up the issue of resolving administrative issues (e.g., not
> > being on the list I would not notice spam getting through to it).
>
> I'm afraid I don't know about interest.  I had hoped others would have
> jumped in earlier... but they have not...

Somehow there are few *BSD security folks on oss-security.  In fact,
this was one of the things I considered when I decided to start with a
Linux-only closed list.

> In the end did the opensolaris based distributions get into the closed
> linux list?

No, and they didn't ask for it.  I don't think they're on oss-security
either - I guess they're just not interested.

However, as you have seen from discussions on oss-security, the Oracle
person who formally joined for Oracle Linux is actually a Solaris person.
I find this weird.

> If not, I wonder if a list for everyone who
> repackages/distributes free/open source software (other than linux
> distro's) would make more sense than a BSD specific one?

Maybe, but I would like to see which projects/distros are actually
interested in being on such a list _and_ are on oss-security.  The
latter requirement is needed because it does not make much sense to
receive notifications of embargoed issues, yet miss notifications of
issues being made public without embargo.

> As far as you being on the list... I at least have no problem with it.
>  In fact I would be surprised to find much if anything on such a list
> that was not also on the linux list.
> (My personal preference would be to have the BSD folks on the linux
> list and trust us to just ignore the kernel issues that are not
> relevant to us :)

Thank you for mentioning your preference - this is important info for me.

The effectively Linux-specific issues sometimes brought up on the list
are not limited to the kernel, though.

On the other hand, in those cases when someone brings up an issue that
is not Linux-specific, the reporter is not always willing to spend time
to notify the *BSD's even when asked to and pointed at the wiki page
with contacts.  Having a bsd-distros list that we could simply CC would
be helpful in such occasions.  But setting one up and subscribing *BSD
security contacts who expressed no interest in this kind of setup
(except for you) is weird.

> Thanks for all your work to provide good communication options!

You're welcome.

Thanks,

Alexander