Re: Request for linux-distros subscription

[Ramon de C Valle <rdecvalle () vmware com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- ----- Original Message -----
> From: "Greg KH" <greg () kroah com>
> To: oss-security () lists openwall com
> Cc: "Solar Designer" <solar () openwall com>, "VMware Security Response Center" <security () vmware com>, "Monty 
> Ijzerman"
> <mijzerman () vmware com>
> Sent: Thursday, June 5, 2014 2:23:25 AM
> Subject: Re: [oss-security] Request for linux-distros subscription
>
> On Wed, Jun 04, 2014 at 10:07:34PM -0700, Ramon de C Valle wrote:
> > Hi Greg,
> >
> > - ----- Original Message -----
> > > From: "Greg KH" <greg () kroah com>
> > > To: oss-security () lists openwall com
> > > Cc: "Solar Designer" <solar () openwall com>, "VMware Security Response
> > > Center" <security () vmware com>, "Monty Ijzerman"
> > > <mijzerman () vmware com>
> > > Sent: Thursday, June 5, 2014 1:09:29 AM
> > > Subject: Re: [oss-security] Request for linux-distros subscription
> > >
> > > On Wed, Jun 04, 2014 at 12:33:13PM -0700, Ramon de C Valle wrote:
> > > > Hi Alexander,
> > > >
> > > > > On Tue, Jun 03, 2014 at 01:16:47PM -0700, Ramon de C Valle wrote:
> > > > > > I can attest that Monty is my colleague and the Manager of VMware
> > > > > > Security
> > > > > > Response Center. As a former colleague of you (Kurt) and also
> > > > > > former
> > > > > > linux-distros subscriber, I would like to ask for your
> > > > > > consideration
> > > > > > for
> > > > > > subscribing Monty (or myself) to linux-distros on behalf of VMware.
> > > > > > Although ESXi isn't a Linux distribution, it implements
> > > > > > Linux-compatible
> > > > > > system calls and provides a GNU/Linux -like ecosystem that allows
> > > > > > many
> > > > > > applications that are compiled on/for Linux operating systems to
> > > > > > run
> > > > > > seamlessly. This ecosystem includes OSS that should be supported in
> > > > > > timely
> > > > > > fashion pretty much like like any other Linux distribution on the
> > > > > > list.
> > > > > > It
> > > > > > also implements a Linux kernel module interface and uses many Linux
> > > > > > device
> > > > > > drivers and kernel modules that also should be supported. In
> > > > > > addition,
> > > > > > ESXi is the base layer that many of the Linux distributions on the
> > > > > > list
> > > > > > rely upon and run atop of in many datacenters around the world.
> > > > >
> > > > > Thank you, Ramon.  This is pretty good rationale, but I feel that
> > > > > getting VMware onto linux-distros for the reasons given above would
> > > > > be a
> > > > > (possibly desirable) change in who the list is for.  So far, it's
> > > > > been
> > > > > for Linux distros, and I deliberately chose the linux-distros name
> > > > > for
> > > > > it.  Now a non-Linux-distro wants to be specifically on linux-distros
> > > > > (not just on distros), and be exposed to Linux-specific vulnerability
> > > > > details (albeit for good reasons).  I'd appreciate comments by others
> > > > > active in this community.
> > > > I'm afraid I can't comment on Greg's comments due to my lack of legal
> > > > understanding. However, in addition to the reasons explained above and
> > > > also Alan's comments (which, IMO, also add to our reasons), I'd also
> > > > appreciate comments by others active in this community and would be
> > > > happy to answer any questions anyone might have.
> > >
> > > Ok, let's keep this on a purely community basis, no legal issues
> > > involved (to quell the tide of private emails about this as well.)
> > >
> > > Your company takes the Linux kernel drivers (a large majority of the
> > > Linux kernel source tree) and builds a product around it, while refusing
> > > to contribute back to those drivers.  What you are doing has been
> > > explicitly stated as something you should not be doing by a number of
> > > community members.  Somehow you feel that your tiny "core" of a custom
> > > kernel is more important than the larger body of community work you are
> > > relying on in order for that core to work properly.
> > I'd appreciate any references to back the "a large majority of the
> > Linux kernel source tree", "while refusing to contribute back to those
> > drivers", and "tiny "core" of a custom kernel" statements if you want
> > me to make any comments.
>
> You referenced it above in your statement about why you want to be part
> of the group.  You write:
>       It also implements a Linux kernel module interface and uses many
>       Linux device drivers and kernel modules that also should be
>       supported.
>
> That Linux kernel driver codebase is huge, and odds are, much larger
> than the core kernel you are linking it to (just by the virtue of the
> fact that the Linux kernel core is much smaller than the driver portion
> of the source tree you are using.)  If I'm wrong in that your kernel is
> much larger than the drivers being used here, well, you all are doing
> something wrong :)
It wasn't said that we use every Linux kernel driver in the Linux kernel source tree; And you're also assuming that the 
only thing that is shipped in our product that is developed by us is the kernel core.

> > > Because of this reliance on that large body of code, you are now asking
> > > to be notified ahead of time about vulnerabilities in that code base by
> > > the same community members you are ignoring in the first place.
> > Same for "Because of this reliance on that large body of code".
> >
> > > Does that seem like a fair thing to be asking for?
> > >
> > > To me it does not, but feel free to persuade me otherwise.
> > My intention isn't to persuade anyone.
>
> Well, as that is what you are supposed to be doing in order to get
> admission, it seems odd that you don't intend to do this.
Like I said, my intention isn't to persuade anyone. If everyone thinks that we shouldn't be subscribed to 
linux-distros, that's fine.

> > If everyone thinks that we shouldn't be subscribed to linux-distros,
> > that's fine. I just would like a fair reasoning of why not, instead of
> > biased and emotionally-filled comments.
>
> Taking emotions out of humans and decisions causes other major problems,
> don't try to do that.  On the linux-distro list, you will have to be
> interacting with (well, supposed to be) the humans of those open source
> projects in order to address the issues found on the list.  Those
> community members are actual people with emotions and histories of
> dealing with companies in various manners.  If you somehow think that
> they will not react in ways that they feel are in the best interest of
> their project's long-term interests, well, then you are forgetting how
> open source communities work.
>
> thanks,
>
> greg k-h
- --
Ramon de C Valle
VMware Product Security Engineering
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJTkAeNAAoJEMHrzpMNBOIMFqIQAJnalhlQSDsct4MPeSZqtvRP
c0CEUFvT3k/O/sTnkJiIEsyC4p1dxCeE7tDPm9Vpz3xVLrIEgwG3NpqoU8V2YAz1
zKn3Gl2GRavn6OyGK1tZl77a6PxlHb99Mp+KW+1YdS5wuIqfzg3WkDU0yHHwEdyP
y9zGccqoiP9DK5SkxN8HoCdTrQ81JAGxkqOzMLVCo2EiUeu2yh7Yf1o71LlO7zQb
MXWmYwRl5Pu82BAhncht2Ub2NAy9yjjhyPtgZrLjdSY2WoZBFFSGRsc/D5y7+vNn
CTgBDmakn4uZQBHtZnyVxt/hqTX5u8MTKHDIKxJMYB0NgSziGFXQBsdu3bf3Q2/U
VHBkGnCQSA0Dfb1MbrEd5gop0wzwdjvYRtkFGixUvG9DDgqYMrI2xJI6tdoVhu5H
eUctvue/LT7AITY2ODy/sdp+MbhMsuhaQAjXWcDfkaEMIFpNY0GH4MaqmNntaXxg
YRbhAjCMsxZ1YB6O32V7wd5aiNQGKWNk9/zEonjYRrc6ISMlnDzW6abKv6SW6h3K
LRWA9mXb9xfWu+tPhg2244uzsQtCWkFy9+t4fX36/yAgmiGIYlqae+JsuRD3hL3U
cBuVSPVg/6xcRSjp/qTDYKHz/iG9QGGHL4iSntMLrX403YaV4ahd15Ew/mQL4WMy
qm+d8BUZx08hsQ8q+vvI
=kdZx
-----END PGP SIGNATURE-----