oss-sec mailing list archives
Re: illumos (or at least danmcd) membership in the distros list
From: Solar Designer <solar () openwall com>
Date: Fri, 22 Sep 2023 23:40:06 +0200
On Fri, Sep 22, 2023 at 07:27:55PM +0200, Solar Designer wrote:
On Mon, Sep 18, 2023 at 05:36:13PM +0000, Dan McDonald wrote:On Sep 15, 2023, at 5:09 PM, Solar Designer <solar () openwall com> wrote:Can you show illumos fixing non-illumos-only security issues within days after public disclosure, so that a few days of advance notice would have made those fixes even quicker?It's a per-illumos-distro property. OmniOS has Stable & LTS releases. Here's the current-stable release notes, dynamically updated every time they update: https://github.com/omniosorg/omnios-build/blob/r151046/doc/ReleaseNotes.md So I'm not sure if a few days of advance notice would make those quicker, but I do know that other distros have biweekly scheduled releases, and advance notice there would keep those wheels spinning faster. Esp. since "patch tuesday" is a mere one-day before the release branch is forked off on release weeks.This looks pretty good for OmniOS, e.g. for OpenSSL CVE-2023-3817 it appears to be 4 days from OpenSSL advisory on "31st July 2023" to OmniOS "r151046n (2023-08-03)", and even something like 1 day for OpenSSH update to "9.3p2, fixing CVE-2023-38408" and for "AMD CPU microcode updated to 20230719, mitigating CVE-2023-20593 on some Zen2 processors" in "r151046m (2023-07-25)" (it was brought to oss-security on July 24). That page above goes back to May 2023. Were there separate ones for older releases? For "a publicly verifiable track record, dating back at least 1 year and continuing to present day".
I see this one goes from December 2022 to present: https://github.com/omniosorg/omnios-build/blob/r151044/doc/ReleaseNotes.md and this one from May 2022 to April 2023: https://github.com/omniosorg/omnios-build/blob/r151042/doc/ReleaseNotes.md So that's already more than a year, and I don't need to look further. Also, I note this reply by Bob Friesenhahn: https://www.openwall.com/lists/oss-security/2023/09/14/1 On Thu, Sep 14, 2023 at 08:36:17AM -0500, Bob Friesenhahn wrote:
I am not a member of the 'distros' list, but can vouch for Dan McDonald's dedication and capabilities, as observed over several years. Dan did not mention it, but he previously became the primary maintainer of an Illumos distribution known as "OmniOS", which I use. As a maintainer, Dan did pay close attention to security issues.
So I think we can accept OmniOS as new distros list member, if that's desired and Dan would represent OmniOS on the list. This subscription on its own would not allow sharing of info with other illumos distros. In special cases, Dan would be able to ask the issue reporters their explicit permission to share with other illumos distros. If those distros do typically need the info, they may request direct list membership. How does this sound to you, Dan? Alexander
Current thread:
- Re: illumos (or at least danmcd) membership in the distros list, (continued)
- Re: illumos (or at least danmcd) membership in the distros list Bob Friesenhahn (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Demi Marie Obenour (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Jean Luc Picard (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Alan Coopersmith (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 15)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 18)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 25)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 25)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 25)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 25)
- Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list) Alan Coopersmith (Sep 26)
- Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 18)
- Re: illumos (or at least danmcd) membership in the distros list Alan Coopersmith (Sep 25)