Re: Vendor-sec hosting and future of closed lists

[Greg KH <greg () kroah com>]

On Thu, Mar 03, 2011 at 08:11:00PM -0500, Michael Gilbert wrote:
> On Thu, 3 Mar 2011 16:41:07 -0800 Greg KH wrote:
> > On Thu, Mar 03, 2011 at 07:26:21PM -0500, Dan Rosenberg wrote:
> > > Of course failing to anticipate security impact is bound to happen in
> > > the kernel; it frequently happens in userland too, and is unavoidable.
> > >  That doesn't mean we can't try, and it doesn't mean we should be
> > > overly paranoid and have security folks manually audit every patch.
> > > Currently, maintainers and bug reporters are expected to ask
> > > themselves a simple question when deciding whether or not to CC
> > > stable: "does this fix a bug or security issue, or is it a new
> > > feature?".  Similarly, I don't think it's too much to ask for people
> > > to consider the question of "does this bug it allow an unprivileged
> > > user to crash the system, gain additional access, or otherwise cross
> > > privilege boundaries?"  And if the answer is "I don't know, maybe?",
> > > then they should CC this list to be safe.  I think this would result
> > > in not nearly as much volume as you're anticipating.
> >
> > They do this already today, that's what security () kernel org is for, and
> > it gets a bit of traffic like this every week.
>
> Is this list open to the public?  It doesn't seem to be available on
> http://vger.kernel.org/vger-lists.html.

No, it is closed, as it should be as potential security problems are
mailed there.  You don't want that to be totally open, right?

thanks,

greg k-h