Re: tool announcements

[Pierre-Yves Rofes <py () gentoo org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Solar Designer a écrit :

> On Mon, Jun 02, 2008 at 02:41:48PM -0800, Jonathan Smith wrote:
> > I wholeheartedly agree.
>
> Thank you for commenting on this.  Your opinion is appreciated and may
> affect our moderation policy.  At this point, I am not sure if it is the
> prevailing opinion of this group, though.

FWIW, I tend to agree too. Many of us are already subscribed to
full-disclosure/bugtraq because we send our advisories there, so it
seems a bit pointless.

> > Announcements of this kind belong on bugtraq/FD
>
> Maybe.  However, many topics are valid on Bugtraq - not only Open Source
> ones.  I imagine that someone could be interested in security tool
> announcements relevant to Open Source software only.  Also, Bugtraq is
> so large that few of us would dare to bother its readers with
> announcements of new versions of a tool, even fairly major ones.
>
> As to full-disclosure, we all know that there's a lot of noise on that
> list. 

That's unfortunate, hopefully it won't happen here if we keep moderating
it, but I agree with what's said below, we should think about a proper
policy to detail what's allowed (and encouraged) on the list, and what's
not.

> Maybe we need to setup a new oss-sectools list, but I'd rather not go
> for it until we start to receive a substantial number of security tool
> announcements in here.  This implies that we let those announcements
> through moderation - or people will stop sending them.  At a later time,
> I'd start rejecting them with requests to repost to oss-sectools - but
> this is not an option yet.
>
> > or per-software announce lists like nmap-announce.
>
> Indeed, but that does not eliminate the need for a shared list.
>
> > I think this list is,
> > or should be, for discussion only. If the post isn't designed to spark
> > discussion (other than "does this belong here" discussion :-) it should
> > be somewhere else.
>
> I mostly agree, but please see above re: "something else".
>
> As to "sparking discussion", it is impossible to know that in advance.
> Yes, you wrote "designed to ..." - does ending a post with "comments,
> please?" qualify?  If so, that could be used on any announcement - even
> on a mostly-PR one.
>
> Also, what about those CVE requests - is a single response, assigning
> the CVE number, "discussion"?  OK, in some cases people actually have
> comments.

Looking at the archives, at least half of the topics are CVE requests,
so maybe we should think about renaming the list "oss-CVEreq" :)
But personally, I find it very useful, it's also a handy way to keep an
eye on possible issues before they're on secunia, e.g when a user
reports a bug on a distro's BTS instead of reporting directly
to the upstream project.

> > Announcements are intended either for existing end-users or as a PR
> > ploy. Existing users are probably subscribed to the project-specific
> > list (or don't care) and this isn't the place for PR.
>
> Of the existing lists, Bugtraq is probably the place for PR.
>
> However, some tools could be of specific relevance to oss-security
> members - e.g., source code analysis tools and fuzzers.  Do you agree?
> Is a moderator supposed to decide whether or not this is the case?
>
> > So, was this message, and "SQL_injection detection tool released" held
> > for moderation?
>
> Yes, they were.
>
> > If so, why were they approved? Presumably whoever did so
> > has some reason not-yet-mentioned, since the SQL_injection one didn't
> > contain a query about testing and code review.
>
> I was the one to approve both messages.  So far, the only messages that
> were not approved were spam.
>
> I don't regret approving these messages - I think that we're having
> useful discussion as a result, and I think that it was important for
> this group's members to be aware of what was coming to the list (except
> for spam).  Let's say that these two messages are "samples" of content
> that we might or might not want in here.
That's a wise decision, at least now we know what content we're going
to receive.

> My opinion is that moderators are not supposed to define the list's
> policy on their own - and we did not (and still do not) have this bit of
> policy fully defined.  So let's try to take care of that now, or I would
> not know what to do if more messages like these two arrive to the list.

As said before, I totally agree here.


- --
Pierre-Yves Rofes
Gentoo Linux Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIRalLuhJ+ozIKI5gRAhRIAJ90hvNzoAOzUoL/zcyX6aHCpVu7VQCeN888
xnh/i0rVtkrWE+Rl0nEMpnQ=
=Zjed
-----END PGP SIGNATURE-----