oss-sec mailing list archives
Re: Gentoo's "contributing back" linux-distros tasks
From: Yury German <blueknight () gentoo org>
Date: Mon, 12 Oct 2020 14:36:55 -0400
On 10/12/20 8:30 AM, Solar Designer wrote:
Hi, Gentoo signed up for these "contributing back" tasks for linux-distros: https://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back 9. Stay on top of issues to ensure progress is being made, remind others when there's no apparent progress, as well as when the public disclosure date for an issue is approaching and when it's finally reached (unless the reporter beats you to it by making their mandatory posting to oss-security first) - primary: Gentoo, backup: Amazon 11. Make sure the mandatory oss-security posting is made promptly and is sufficiently detailed, and remind the reporter if not - primary: Gentoo, backup: Amazon 12. If exploit(s) were shared on the list, make sure that either they're included in the oss-security posting along with the issue detail or the posting includes an announcement of planned later posting of the exploits (with the delay being within list policy), and in the latter case also make sure that the later posting is in fact made as planned, and remind the reporter if not - primary: Gentoo, backup: Amazon 13. Keep track of per-report and per-issue handling and disclosure timelines (at least times of notification of the private list and of actual public disclosure), at regular intervals produce and share statistics (most notably, the average embargo duration) as well as the raw data (except on issues that are still under embargo) by posting to oss-security - primary: Gentoo, backup: Amazon and we saw some contributions from Gentoo on these, most notable being their work on the statistics (task 13 above): https://oss-security.openwall.org/wiki/mailing-lists/distros/stats Unfortunately, the last update of these statistics ("Last modified: 2019/10/15 01:52 by kristianf") is also when the contributions ceased. Some others have been taking care of tasks 9, 11, 12 (in particular, Anthony Liguori of Amazon has been helping, but on various occasions also many others from other distros), but not yet of task 13. I understand that Gentoo is a community project run by volunteers, and I am not complaining. Rather, I think we need to discuss with Gentoo in here and reassign to other distros whatever responsibilities Gentoo no longer has resources for. We should ideally keep at least one task Gentoo's responsibility (and Gentoo should have specific people assigned to that task), at least to be consistent with our current requirements for new distros joining (linux-)distros. To Gentoo: which of these tasks, or other "contributing back" tasks, are you (still) willing to handle, and who on your team would handle them?
Alexander, As you mentioned Gentoo is a purely volunteer distribution and due to the happenings in the world we could not devote a lot of time. Currently I have been maintaining the statistics for the list, but there was a time from October to January that I was off the list and do not have the archive of the messages. I will need to work with someone to fill out those statistics as K_F is currently not available. I will be able to continue with Task 13, and will catch up during the weekend.
To others on linux-distros: which of the above tasks do you volunteer to become primary for? To Amazon: do you want to remain backup for task 13, or do you not have the resources to handle it? If Gentoo already has some work-in-progress on task 13 for October 2019 and on, yet we reassign this task to another distro, then that data and instructions should probably be transferred to the other distro. Alexander
Current thread:
- Gentoo's "contributing back" linux-distros tasks Solar Designer (Oct 12)
- Re: Gentoo's "contributing back" linux-distros tasks Anthony Liguori (Oct 12)
- Re: Gentoo's "contributing back" linux-distros tasks Yury German (Oct 12)