Re: Re: [security-vendor] Re: [oss-security] Closed list

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> > Hi Hui,
> >
> > On Thu, Apr 28, 2011 at 02:24:58PM +0800, Hui Zhu wrote:
> > > > Please add me to the new maillist. I am from Wind River.
> > Wind River is not yet being added to the new list:
> >
> > http://www.openwall.com/lists/oss-security/2011/04/24/6
> >
> > Hence, I've saved your subscription request to a separate folder, to
> > revisit it if a decision is made to start adding "closed" vendors to
> > the list, if Wind River starts to publish advisories and updates (in
> > other words, if it becomes no more closed than Red Hat), or if a
> > suitable separate list is setup.
>
> While I have not personally applied for the closed vendor list, our
> current security contact has. I thought I would attempt to explain
> briefly what we publicly disclose and what we do not. If this changes
> your stance on allowing us into the closed list that is fine, if not then
> keep this as background information for the future.
>
> Wind River provides a public RSS feed with the advisories for our
> currently supported products. However, to get to the download you need to
> be a customer.  The information in the RSS feed is accurate as to the
> description of the issue, the only thing not published is the fixes
> themselves (note, these fixes don't make sense if you are not a Wind
> River customer) along with installation notes.
>
> The RSS feeds for our three currently support product versions are:
>
> Wind River Linux 2.x : http://www.windriver.com/feeds/wrlinux_200.xml
>
> Wind River Linux 3.x : http://www.windriver.com/feeds/wrlinux_300.xml
>
> Wind River Linux 4.x : http://www.windriver.com/feeds/wrlinux_400.xml

I think this is suitable. The goal here is to ensure that a vendor is
actually producing updates and aren't just a potential leak.

Thanks.

-- 
    JB