Re: tool announcements

[Jonathan Smith <smithj () freethemallocs com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Solar Designer wrote:
| Also, I am not on full-disclosure -
| should this prevent me from being a moderator for oss-security, or do I
| have to subscribe to full-disclosure?

I don't think so, no. I actually gave up on FD recently as well, given
the ever-decreasing signal-to-noise ratio.

I should clarify; I don't actually mind cross-posting, so long as the
content is appropriate on all the lists posted to. I just don't,
personally, believe announcements should be on-topic on oss-security.

| Maybe.  However, many topics are valid on Bugtraq - not only Open Source
| ones.  I imagine that someone could be interested in security tool
| announcements relevant to Open Source software only.  Also, Bugtraq is
| so large that few of us would dare to bother its readers with
| announcements of new versions of a tool, even fairly major ones.

Maybe part of the problem is that I'm not that interested in new tools.
The ones I currently have work well enough, and I can only spend so much
effort learning new stuff, and there are more interesting new stuff to
learn :)

| Maybe we need to setup a new oss-sectools list, but I'd rather not go
| for it until we start to receive a substantial number of security tool
| announcements in here.

Sounds good.

| As to "sparking discussion", it is impossible to know that in advance.
| Yes, you wrote "designed to ..." - does ending a post with "comments,
| please?" qualify?  If so, that could be used on any announcement - even
| on a mostly-PR one.

Eh. I'd still lean "no" here. It doesn't seem very likely that "new
version of $my_package released with shiny new stuff" is going to
generate useful discussion. If, on the other hand, the author of the
tool emails the list asking for comments on a new method of
vulnerability scanning or similar, which may have been recently added to
his/her toolkit, that seems quite germane.

| Also, what about those CVE requests - is a single response, assigning
| the CVE number, "discussion"?  OK, in some cases people actually have
| comments.

Good point. CVE assignments to oss software clearly belong on-list since
they help us all by not duplicating work, even if they aren't strictly
discussion.

| Of the existing lists, Bugtraq is probably the place for PR.

Agreed.

| However, some tools could be of specific relevance to oss-security
| members - e.g., source code analysis tools and fuzzers.  Do you agree?

Sure.

| Is a moderator supposed to decide whether or not this is the case?

Well, I'm not sure. Not being a moderator, I don't know how much work it
really is. *If* it is a relatively low workload, I think weeding out the
not-as-relevant announces would be very valuable.

|> So, was this message, and "SQL_injection detection tool released" held
|> for moderation?
|
| Yes, they were.

Good to know.

| I don't regret approving these messages - I think that we're having
| useful discussion as a result, and I think that it was important for
| this group's members to be aware of what was coming to the list (except
| for spam).  Let's say that these two messages are "samples" of content
| that we might or might not want in here.
|
| My opinion is that moderators are not supposed to define the list's
| policy on their own - and we did not (and still do not) have this bit of
| policy fully defined.  So let's try to take care of that now, or I would
| not know what to do if more messages like these two arrive to the list.

Agreed. I wasn't intending to pass judgment on the moderators, just
wondering.

For now, I'll concede that there isn't enough traffic to justify forming
a new list. Consequently, I suppose I'm in favor of keeping them
on-list. When/if the announcement traffic level changes, perhaps we
should revisit.

        smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkhFn5UACgkQCG91qXPaRen2WQCeJRbmeWlU3ejUH/yDIPU9Wc2Z
fUEAnjEj0IqoXLSmBLXsCMePoG+H3ea1
=4j4N
-----END PGP SIGNATURE-----