Re: closed-list membership transition

[Solar Designer <solar () openwall com>]

On Fri, Sep 16, 2011 at 10:53:40AM -0700, Kees Cook wrote:
> My last day with Canonical is today. Starting on Sep 19th, I will be
> working for Google on ChromeOS. I'd like to transition my closed-list
> membership based on the fact that ChromeOS is also a distro, and I'll
> still have security responsibilities with it. How should this be handled?

The initial seed membership for the closed list was limited to distros
who were on the old vendor-sec (and additionally limited to Linux only).

I think it's in fact time for us to start accepting other qualifying
Linux distros.

One of the criteria should be that the distro is generally available
(not limited to just one organization).  Another is that it should be
issuing timely security updates.  And, without the "was on vendor-sec"
requirement, we'll need someone to vouch for each new distro member and
first person to subscribe from that new distro.  (Then that person can
nominate additional contact persons for the distro.)

I think that Chrome OS qualifies.  As far as I can see, it's generally
available now: http://getchrome.eu/download.php

Also, I am happy to vouch for Kees.  (I would vouch for other Chrome OS
security people I know as well, but this specific request is from Kees.)

So I'd like Chrome OS and Kees in particular to be on the closed Linux
distros list, to receive advance notification of up to 14 days on medium
severity issues (this is what the list is for).

I'd appreciate any comments on any of the above (support, objections,
anything else).

Thanks,

Alexander