Re: Closed list

[Solar Designer <solar () openwall com>]

On Fri, Apr 01, 2011 at 10:13:05PM -0400, Mike O'Connor wrote:
> I use my personal address rather than my work address for handling
> vendor security matters because:

Thank you for explaining this in here.

> The vetting should be about more than email domains.  There should be
> periodic maintenance of who's on the list to cull out those who aren't
> involved.  Marcus did that to some degree with the vendor-sec of old.

Right.

> I think the biggest problems there were the exploders and the lack of
> encryption,

Maybe (re: "biggest").

> and both of those are being addressed with this new list
> as I understand things.

Yes, they are.

> I think that having a couple lists, one for "tactical" issues (e.g.
> embargoes and CVE assignment) and another for "strategic" discussions
> (e.g. "how to deal with vagaries in gcc vs. C standards with general
> security impact") may be appropriate.  I'm part of another security
> community which has such a notion, and it seems to help in keeping
> things focused, FWIW.

It appears that this is what we will have, but I am starting with one
list that is more obviously needed (alternative to CC lists).

Your specific example re: "how to deal with vagaries in gcc vs. C
standards with general security impact" would be best discussed on
oss-security (that is, on a public list), though.  It does not benefit
from a short embargo, and long embargoes are inappropriate.

Alexander