Re: Request for linux-distros subscription

[Greg KH <greg () kroah com>]

On Wed, Jun 04, 2014 at 09:43:05PM -0700, Ramon de C Valle wrote:
> > [1] if they are added then by that logic we need to add every product
> > which has virtualization support or a ported environment that can run
> > Linux (busybox anyone?) which is basically crazy.
> This statement just enforces what I said above. There are so many
> problems in this statement that I don't even know where to start. It
> is my understanding that you're comparing ESXi with BusyBox, although
> they're different things and ESXi uses BusyBox (which you probably
> didn't know).
>
> If we enter in the merit of virtualization products (and cloud
> services), you may or may not have noticed but the majority of them
> are already subscribed (albeit indirectly) but VMware. Amazon,
> Canonical, Oracle, Red Hat, are all present. Let's assume, for
> example, that a critical vulnerability in a critical OSS that affects
> not only the Linux distributions but also the virtualization products
> (and cloud services) of any of the companies mentioned above is
> disclosed on the list. We both know that this information will be used
> not only to fix the vulnerability in the Linux distributions but also
> in all the other products and services of these companies in advance.
> Don't you think it's a bit unfair? I could easily assume that you are
> biased towards VMware not being subscribed to the list. But we aren't
> going to enter in that merit, are we?

Wait, companies aren't on these lists to "fix things in advance", they
are on them to help resolve the issues with the community members of the
OSS projects, and to help prepare for the announcement in an organized
manner.  The fact that they work _with_ the community projects is a
major thing here.  It is not a one-way street at all.

I'm sure if anyone is found to be "fixing things in products ahead of
time", that will be addressed properly, but that is _not_ the reason
this group is here for at all from what I can tell (note, I'm not on the
list, but was on vendor-sec for years, and never saw any "fixes ahead of
time" there that were not just honest mistakes.)

> So far I have explained many reasons why we should be subscribed to
> the list, yet you haven't explained any why we shouldn't (despite the
> "you're not a Linux distribution" above, which I have said myself in
> my very first post).

What specific OSS products are you relying on that you wish to have
advance notice of vulnerabilities in?  As you aren't a public Linux
distro, it's hard to find a list anywhere about what exact code bases
you are concerned about tracking here.

Well, except for the previously mentioned huge Linux driver code base
(i.e. the thing that runs your flagship product) but I've already stated
my objection there for why you should not be allowed access to any
"special" knowledge there.

thanks,

greg k-h