Re: charter - advisories

[Solar Designer <solar () openwall com>]

On Tue, Feb 19, 2008 at 10:09:23AM -0700, Vincent Danen wrote:
> Yeah, I noticed this as well.  I think advisories should be kept off the
> list, for the same "signal-to-noise ratio" principal as bugtraq and FD.

For now, I've edited the charter draft as follows:

Security advisories aimed at end-users only are not welcome (e.g., those
from a distribution vendor announcing new pre-built packages).  There has
to be desirable information for others in the Open Source community
(e.g., an upstream maintainer may announce a new version of their
software with security fixes to be picked up by distributors).

If anyone can word it better, please do.

> It may be a better idea, if desired, to make a separate list that is a
> fully moderated (or possibly a reject-all with exceptions) list specific
> to carrying vendor advisories.

Yes, that was my idea too.  However, now that we mention the distinction
between two kinds of advisories (those for end-users only vs. those
useful to others as well), I am not sure which of these we want to go to
that other list.  Should we create a list for advisories that are useful
for us, then change the above guideline to "no advisories" for the main
oss-security list?  Or should we create a list for both kinds of
advisories?  In the latter case, should we ban the useful advisories
from the main oss-security list or should these be CC'ed to both lists?
Or should we create two new lists?..

Alexander