Re: membership request to the closed linux-distros security mailing list

[Anthony Liguori <anthony () codemonkey ws>]

On Fri, Mar 20, 2015 at 8:50 AM, Stuart Henderson <stu () spacehopper org> wrote:
> On 2015/03/20 08:16, Anthony Liguori wrote:
> > I think the alternative is to formalize what already appears to be the
> > existing practice: disclose distros@ on the existence of a
> > vulnerability but require direct contact for the details of the
> > vulnerability if the submitter/upstream thinks the impact is high.
>
> Are private lists even needed if this policy is taken?

I think there's a lot of value in being able to just send a low-medium
impact issue to a single list of groups that have gone through some
level of vetting without needing to respond directly to individuals
and making value judgements.

I also think it's helpful to have a single point of contact so that an
upstream isn't dealing with 10 different people from a single
organization asking for details.

Regards,

Anthony Liguori