Re: linux-distros membership adjustment/vouching

[Solar Designer <solar () openwall com>]

Hi,

On Fri, Jan 10, 2020 at 12:52:41PM -0800, Kees Cook wrote:
> I've been a member of linux-distros for a long while, and my hat has
> slowly changed over that time. I'm subscribed there (and here) as
> kees () ubuntu com.  When I my responsibilities shifted from the Ubuntu
> Security Team to the Chrome OS Security Team, I just kept the email
> address (since it's a community address and I'm still part of the Ubuntu
> community).
>
> However, as my responsibilities have shifted, I'm much less involved
> with the Chrome OS Security Team, and it was recently pointed out that
> no one else from the Chrome OS Security Team is (to our knowledge)
> a member right now.
>
> So, attempting to solve things in a backwards order, I'd like to first
> vouch for a Chrome OS Security Team member who is already on oss-security,
> with the goal of having them added to the linux-distros list:
>
>     Jorge Lucangeli Obes <jorgelo () google com>

Given the above, I'd be happy to subscribe Jorge for Chrome OS.  I just
need Jorge's PGP key.  I also suggest using an e-mail address not on
Google's MX'es, because those reject messages sent from domains with
strict DMARC policy (most notably, when another Googler posts).

Normally such subscription changes for an already subscribed distro are
handled off-list.  However, what you bring up below deserves being
discussed on oss-security:

> Then I'd like to figure out what to do with my own membership. I'm
> still associated with Ubuntu, Chrome OS, and Android but I don't have
> "official" responsibilities as a representative of their respective
> security teams. I am, however, an upstream Linux kernel security contact
> (but that doesn't qualify as a "Unix-like operating system distro", from
> item "1" in the membership criteria[1]). I am still involved in fixing,
> notifying, negotiating, delegating, etc, in these various distros. Should
> I stay on linux-distros? I would prefer to (it makes that work simpler),
> but since there isn't any "criteria for continuing membership" on the
> Wiki, I'm not entirely sure what the right course of action should be.

I think it'd be most consistent with our criteria so far if (at least)
one of those distros' security teams does state that you'd represent
them.  Without that, you staying on linux-distros would be weird and
inconsistent with requirements we set for others.

> (And if I stay, perhaps it would be more accurate to use kees () kernel org?)

It'd be up to you to choose an e-mail address that's convenient for
you.  Messages are encrypted anyway, so this choice sort of does not
matter for security.  In practice, though, it does matter a little bit:
if you choose an e-mail address in a specific distro's domain name, then
if you ever leave their team and they disable that e-mail account you
wouldn't be getting the messages anymore (and they wouldn't be able to
read messages intended for you as well, due to the encryption to your
key), even if they forget to promptly ask for your address to be removed
from the list.  Despite of this minor security advantage, I don't insist
on use of such e-mail addresses so far, as I realize it's often far more
convenient to use an external e-mail address.

As to kernel.org, it isn't particularly relevant here since the Linux
kernel is not a Linux distro.  It's just an address you can use, just
like any other address.

Alexander