Re: illumos (or at least danmcd) membership in the distros list

[Dan McDonald <danmcd () mnx io>]

On Sep 15, 2023, at 5:09 PM, Solar Designer <solar () openwall com> wrote:
> Hi Dan,
>
> Your request looks good to me, except that this criterion:
>
> On Wed, Sep 13, 2023 at 08:21:22PM +0000, Dan McDonald wrote:
> > > Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing 
> > > security issues (including some that had been handled on (linux-)distros, meaning that membership would have been 
> > > relevant to you) and releasing the fixes within 10 days (and preferably much less than that) of the issues being 
> > > made public (if it takes you ages to fix an issue, your users wouldn't substantially benefit from the additional 
> > > time, often around 7 days and sometimes up to 14 days, that list membership could give you)
>
> is meant to be about the distro, not about you personally.
>
> Alan Coopersmith also correctly pointed this out and made suggestions.
>
> Can you show illumos fixing non-illumos-only security issues within days
> after public disclosure, so that a few days of advance notice would have
> made those fixes even quicker?

It's a per-illumos-distro property.  OmniOS has Stable & LTS releases.   Here's the current-stable
release notes, dynamically updated every time they update:

        https://github.com/omniosorg/omnios-build/blob/r151046/doc/ReleaseNotes.md

So I'm not sure if a few days of advance notice would make those quicker,
but I do know that other distros have biweekly scheduled releases, and advance
notice there would keep those wheels spinning faster.  Esp. since "patch tuesday"
is a mere one-day before the release branch is forked off on release weeks.

Our security coordination in illumos is to warn distro-runners, and they make their own
decisions based on that data. None have ever violated embargos.

Thanks,
Dan