oss-sec mailing list archives
Re: Closed list
From: Ben Laurie <benl () google com>
Date: Mon, 4 Apr 2011 14:35:30 +0100
On 3 April 2011 22:33, Solar Designer <solar () openwall com> wrote:
Ben, On Sun, Apr 03, 2011 at 10:06:03PM +0100, Ben Laurie wrote:OK, but ... I wasn't on vendor-sec, but (IMO) am at least as qualified as most of the people who were. Now what?What do you propose? In what capacity do you feel you're qualified?
FreeBSD committer, core contributor to various "OpenSource projects with a large user base and/or high security exposure"
Don't get me wrong, I have a lot of respect for you - in fact, in my sysadmin role, I am flattered that you'd want to be on a list I setup. I just think that you providing answers to the questions above will help the discussion. I don't know what your answers would be (I can try to guess, but I might be wrong). I do think that you might propose something we have not yet thought of.
I'm not sure I have a helpful proposal, but closed security lists have always made me somewhat grumpy. Basically, it seems to me that there are two major problems with them: 1. People who "ought" to have the information don't, because they're not on the list. 2. People who "ought not" to have the information do, because they are on the list. So my general inclination is to at least fix this problem for myself, by being on all the lists :-) Yes, this doesn't fix problem 2 - so sorry: my general stance on this is that it is really impossible to say who "ought" and "ought not" to have security info. I hear all sorts of noises about vendors being in the "ought" camp and end users in the "ought not", but that makes no sense to me: vendors only "need" to be on the "ought" list because they're a roadblock between the software authors and the end user. They should just fix that problem. In any case, who is a "vendor". I build all my s/w from source, pretty much. Am I therefore a vendor (to myself)? Alternatively, I "ought" to be on the list because history has shown that a) I can sometimes do something useful about the problem and b) I can be trusted with the information. Maybe that's a better way to run a list, I don't know.
The vendor-sec membership requirement was just for the initial seed membership of the new list. Its purpose is to ensure we're not making things worse in terms of pre-CRD leaks, at least not right away. ;-) As you can see from another message I posted, I've only setup a Linux distros list for now, which lets us side-step the issue of comparing one security researcher vs. another for membership of that list. I'd be happy to setup a separate list with only security researchers on it, and we can ask folks to CC that list whenever a discussion on the Linux distros list is expected to significantly benefit from participation of the researchers. I'd be happy if you have a better proposal. Thanks, Alexander
Current thread:
- Re: Closed list, (continued)
- Re: Closed list Steve Kemp (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list klondike (Apr 02)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Es gibt immer etwas zu tratschen (Apr 02)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Ben Laurie (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list ArkanoiD (Apr 03)
- Re: Closed list Ben Laurie (Apr 04)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Tomas Hoger (Apr 04)
- Closed list R P Herrold (Apr 04)
- Re: Closed list Solar Designer (Apr 04)
- Re: Closed list Tomas Hoger (Apr 05)
- Re: Closed list Solar Designer (Apr 06)
- Re: Closed list Solar Designer (Apr 03)