oss-sec mailing list archives
Re: membership request to the closed linux-distros security mailing list
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 22 Mar 2015 12:26:50 +0100
* Solar Designer:
Oh, and I need to announce that one distro left the list earlier this month: the person previously subscribed for Android determined that "the mail going to those lists hasn't been actionable" for Android.
Well, this can mean basically anything. Maybe they can't do embargoes at all, considering how fixed software is delivered to end users.
3. Setup a separate list for primarily non-free software and primarily non-software vendors. Of the existing linux-distros members, maybe Amazon Linux AMI, MontaVista, and Wind River should be moved there.
Huh? Isn't Amazon Linux AMI just a piece of software? Montavista and Wind River are subsidies of Cavium and Intel, and the parent company product security teams should be on a (linux-)distros-type list anyway.
The idea behind such list is that we'd let people decide who they want to notify: all distros (including this separate list) or just the more free'ish subset (not including this separate list).
Why would you give priority to a free-ish distributions? What's the goal? We are all on the same Internet, which is why I fail to see the benefit of distributing vulnerability information according based on this criterion.
And indeed, the separation between these sub-lists is unclear. There will always be doubts where a given vendor belongs. For example, to me Red Hat is free enough to be on the privileged sub-list, but someone might disagree.
Being commercial hopefully means that your security team members don't need an actual job that pays the bills, which may create additional obligations. If the security team is just a bunch of volunteers, you have different potential for conflicts of interest (not sure what's worse, an additional job, or commercial pressures).
Comments?
What's happening on the distros list these days? Who are the primary contributors? Are there discussions about technical details? Or is it just CRD coordination? Or do people just drop off pre-advisories?
Current thread:
- Re: membership request to the closed linux-distros security mailing list, (continued)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Stuart Henderson (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Marcus Meissner (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Daniel Micay (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Kurt Seifried (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Florian Weimer (Mar 22)
- Re: membership request to the closed linux-distros security mailing list Alan Coopersmith (Mar 20)