oss-sec mailing list archives

Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software

From: halfdog <me () halfdog net>
Date: Sat, 13 Feb 2016 08:02:59 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scotty Bauer wrote:

I assume most severe linux bugs are going through the distros list 
which does exactly as you describe in your mail...

http://oss-security.openwall.org/wiki/mailing-lists/distros


That is true, so the distros list can be proud to have adopted a
secure procedure already. But at least some of the issues going to be
communicated on distros list were handled in various bug tracking and
collaboration platforms up to the point, that severe security impact
is confirmed. I would guess that quite a number of issues stays in
that state for about 2-6 month before making it to distros list and
beginning of the maximum 2 weeks final embargo time.

Data communicated in the final 2 weeks is secured but I am worried
about the 6 month centralized, structured and unencrypted
communication before that, which might be not so hard to tap into.

On 02/12/2016 10:52 PM, halfdog wrote:

Hello List,

As just written in a mail to another list, this might also be 
interesting for discussion here.:

As it would be the most natural thing for e.g. NSA, China, ... 
(those with capabilities to monitor large amount of network 
traffic) to just record all mails from large-scale Linux 
distribution collaboration and issue tracking systems containing 
the keyword "security", and as this is very cheap way to get to 
near-zero day material, I would assume, that this is already
done. This is like serving them zero days on a golden plate.

Hence really critical security material perhaps should not go to 
such platforms, e.g. Ubuntu Launchpad, or the platform should be 
modified to send security issues only in encrypted mails without 
talkative title, members without mail public key registered
should get only message "Bug [Number]: Info changed" including
the HTTPS link to the issue in the platform.

What do you think?

Does someone have a link to anyone having access to the selector 
lists leaked by Snowden to ask them, which of the distros are 
already in scope or otherwise to discard this e-mail as pure 
paranoia?

Kind regards, hd


- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAla+4ysACgkQxFmThv7tq+7OMQCdGl91twyyWt1jQ/Ta5v71UMQh
37AAnRLRa8nOpBVaP6R4g6r7A7BtcSYE
=QM3G
-----END PGP SIGNATURE-----

Current thread:

Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software halfdog (Feb 12)
- Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software Scotty Bauer (Feb 12)
  - Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software halfdog (Feb 13)
    - Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software Florian Weimer (Feb 13)
- Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software Hanno Böck (Feb 13)
  - Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software Kristian Fiskerstrand (Feb 13)