Re: announcing oCERT & oss-security to Bugtraq & f-d

[Vincent Danen <vdanen () linsec ca>]

* [2008-04-05 01:08:58 +0400] Solar Designer wrote:

> Josh, Vincent, Jonathan - thank you for commenting on this so promptly!
>
> Andrea - it appears that the oCERT announcement should be separate, then.
> Please go ahead with it, and feel free to mention oss-security in passing
> as a group that oCERT intends to work with, as Vincent suggested.  I'm
> not sure if it's appropriate to include a link to the oss-security wiki;
> I would do it, but Vincent suggested that we make "the intelligent" use
> Google instead (and not invite the rest to our wiki just yet).

I think at this point, just mentioning it should suffice until we figure
out the basics (unless Andrea waits until next week and we have a
consensus in place).

> > Vincent Danen wrote:
> > | I don't have a problem with it being announced at the same time, but I
> > | do think that one day is pretty short notice to draft a decent
> > | announcement (i.e. something that won't result in a "why do we need
> > | another ml like fd or bugtraq" barrage of postings),
>
> Good point, and I am sorry for the short notice.  To me, this was
> expected, but I failed to notify the oss-security group of this
> possibility earlier.  I did not expect that the press would pick oCERT
> up before the Bugtraq & f-d announcement, though - and this is now a
> reason for not delaying the announcement anymore.

No, not for oCERT, for sure.  But I think I'd like to see some of the
ground-rules laid out first, now, before we have to re-think or change
things later (in terms of basics), and end up ticking people off.

> > | because we need to
> > | figure out the best way to do this so we don't get people like "n3td3v"
> > | coming to the list.
>
> Maybe it's OK if they come to the list, but are unable to post - or get
> kicked out.

I think maybe a moderated subscription, and unmoderated postings (for
members, moderated non-subscriber postings mandatory) would be a good
way to do it.

> On Fri, Apr 04, 2008 at 12:08:07PM -0800, Jonathan Smith wrote:
> > I've got to agree with Vincent here. We didn't have much heads-up about
> > this. Having folks on-list who shouldn't be was my main concern with
> > oss-security to begin with, and posting the list to the masses (at this
> > point in time) isn't going to make that easier.
> >
> > That being said, we need to figure that out before oss-security can be
> > useful to a broader range of people and projects.
>
> OK, can we please start figuring this out, then?  Once there's consensus
> or an obviously prevailing opinion in this group, Openwall is going to
> re-configure the list as it will be agreed upon, and everyone can edit
> the wiki to reflect that.  Then we'll be ready for a "big announcement",
> right?  Or do we want to work on the wiki content more first?  Or maybe
> tighten up the wiki settings?

I think the wiki content is ok... we could delay this for months just
getting the wiki content straightened out and flushed out.  I don't
think we want to do that.  Tightening up who can edit the wiki is a good
idea tho.

> Let's just not leave things undefined and non-announced forever.  If
> oss-security is successful, and it appears that it is, it will become
> known anyway - but possibly with more confusion around it if we don't
> announce it ourselves.

I agree.

> > | I think we should activate membership moderation before we make a big
> > | public announcement for exactly this reason.  Which is why we need more
> > | than one day... this needs to be discussed amongst members and needs to
> > | be noted in the announcement (to keep the idiots from trying to
> > | subscribe and then us having to punt a bunch of them after the fact).
> >
> > Yep. But, I still think we should allow read-only memberships without
> > moderation. Having to read oss-security through rss or a web interface
> > would be frustrating.
>
> I agree with Jonathan on this.
>
> As to whether to enable message pre-moderation for list members before
> the announcement or only when we really have to, I am not sure.  I'll
> let others decide.

No, I don't think we need to moderate member postings.  I think we
should do it this way:

- members can post at will
- subscribers are read-only [1]
- non-members have posts moderated
- membership is moderated

[1] the distinction between member and subscriber is a member being
someone who can post, and a subscriber is someone who gets it read-only

--
Vincent Danen @ http://linsec.ca/

Attachment: _bin
Description: