Re: Vendor-sec hosting and future of closed lists

["S.P.Zeidler" <spz () NetBSD org>]

Hi,

Thus wrote Greg KH (greg () kroah com):
> On Sat, Mar 05, 2011 at 09:17:51PM +0100, S.P.Zeidler wrote:
> > Thus wrote Solar Designer (solar () openwall com):
> >
> > > > - If yes, would it be an idea to confine or split into lists of focus groups?
> > > >   (like Linux vendors, BSD vendors, all OSS source using vendors, etc?)
> > >
> > > My current proposal is: split into several sub-lists.  I'd start with
> > > three: Linux vendors, *BSD vendors, security "researchers".  The vendor
> > > groups would be for externally submitted reports (by non-members) and
> > > for cross-vendor discussions.
> >
> > I'd suggest four, then: Linux (kernel and libc), BSD (kernel and other
> > items shared between BSDs, but not commonly seen in Linux distributions),
> > shared/userland (who eg doesn't have OpenSSL?), and researchers
> > (no opinion on the latter).
>
> This means that for a "normal" Linux distribution, someone would have to
> be subscribed to at least 2 lists, and possibly three?

Two, to be made aware of issues (same for BSDs).

> And where would someone post a problem to?  How would they know if a
> pacakge is shared from BSD and Linux without having to do a lot of
> research first?

Assume shared unless you know it's a specific problem. :)

> I really don't mind seeing all of the traffic for all of the issues, but
> perhaps the BSD developers get tired of seeing all of the Linux kernel
> issues go across their mailbox so they don't want to have to see them
> anymore :)

I wouldn't be on the list but I guess our security-officers coped.
It's rather that I would like to avoid the BSDs being forgotten.

regards,
        spz
-- 
spz () serpens de (S.P.Zeidler) spz () NetBSD org