oss-sec mailing list archives
Re: charter - advisories
From: Vincent Danen <vdanen () linsec ca>
Date: Sun, 24 Feb 2008 23:18:13 -0700
* [2008-02-25 01:26:00 +0300] Solar Designer wrote:
On Wed, Feb 20, 2008 at 12:26:21PM -0700, Vincent Danen wrote:Hmmm... maybe we should clarify the advisories we don't want to see. I guess advisories from, say, iDefense, would be valuable. But advisories from Mandriva or SUSE not so much. Maybe we should indicate no *vendor* advisories,I think this is pretty much what we did already. From the charter: Security advisories aimed at end-users only are not welcome (e.g., those from a distribution vendor announcing new pre-built packages). There has to be desirable information for others in the Open Source community (e.g., an upstream maintainer may announce a new version of their software with security fixes to be picked up by distributors). If you can word this better, please go ahead and edit it on the wiki.
No, that sounds fine to me, but I don't think it was there when I initially replied (or at least, not when I had looked at it last prior to that reply).
and make a second list specifically for that?I'd be happy to make such a list if there's demand - is there? Let me address this question to those vendors (represented in here) who currently copy their advisories to Bugtraq - will you start sending them to this new special-purpose list? If so, will you discontinue sending them to Bugtraq, suggesting that whoever wants to receive all-vendor advisories should subscribe the new special-purpose list? I think this could help us reclaim Bugtraq as a general security discussion list.
For Mandriva, I can say yes. We currently send to bugtraq, FD, our own announcements list (which includes the bugfix advisories, and would likely remain the only source of bugfix/enhancement advisory notification), and I believe to CERT. We would drop the sending to bugtraq and FD if such a list existed.
Note that Bugtraq will remain quite different from oss-security even if reclaimed as a discussion list. oss-security is for people involved with OSS projects (although others are welcome to listen to our conversations) and for detailed discussions of source code patches, etc. when that is needed. Bugtraq is for everyone, including end-users and closed-source folks - and it is large-scale, meaning that discussions of individual issues should not run for too long and get into minor detail.
I don't think there is currently anything with the same goals/content as what we'll be seeing on oss-security.
Also, a question to those vendors (represented in here) who don't copy their advisories to Bugtraq currently (too shy or polite) - will you start sending them to this new special-purpose list?
With my Annvix vendor hat on, I'd say no, but it's largely due to the small userbase and my not wanting to expend needless energy on writing advisories (for the Annvix userbase, the changelogs are sufficient). -- Vincent Danen @ http://linsec.ca/
Attachment:
_bin
Description:
Current thread:
- Re: wiki, (continued)
- Re: wiki Vincent Danen (Feb 19)
- Re: wiki Josh Bressers (Feb 18)
- charter Jonathan Smith (Feb 18)
- Re: charter Josh Bressers (Feb 19)
- Re: charter Mark J Cox (Feb 19)
- Re: charter Vincent Danen (Feb 19)
- Re: charter - advisories Solar Designer (Feb 19)
- Re: charter - advisories Josh Bressers (Feb 19)
- Re: charter - advisories Vincent Danen (Feb 20)
- Re: charter - advisories Solar Designer (Feb 24)
- Re: charter - advisories Vincent Danen (Feb 24)
- Re: charter - advisories Mark J Cox (Feb 25)