RE: membership request to the closed linux-distros security mailing list

[Sona Sarmadi <sona.sarmadi () enea com>]

> On Fri, Mar 20, 2015 at 02:00:29PM +0100, Sona Sarmadi wrote:
> > On behalf of Enea  Software AB, I would like to request membership to
> > the closed linux-distros security mailing list.
>
> Oh, recent attention to OpenSSL does wonders.  I already got off-list
> reminders from IBM and VMware this same week.
>
> Of course, this is primarily about PR, and only secondarily about security.  But
> should this be stopping us, if early security updates are also, unsurprisingly,
> good for security?
>
> OK, we got to handle these requests, and more.  Yes, there were several
> more off-list requests (obviously, they would not be handled without
> bringing them to oss-security first) during the 11 months that distros list
> membership has essentially been locked (in terms of which distros are
> represented; there were minor changes in who is subscribed for distros
> already on the list).
>
> Oh, and I need to announce that one distro left the list earlier this
> month: the person previously subscribed for Android determined that "the
> mail going to those lists hasn't been actionable" for Android.
>
> So, our options are:
>
> 1. Shut down the (linux-)distros lists and be done with this. ;-)  To me, they
> were more clearly doing more good than bad when they were a subset of
> the old vendor-sec.  With more membership requests coming in, and with
> simply ignoring such requests being unfair, maybe the time of these lists is
> over.  No, this does not mean that's my current opinion, but when doing
> something as controversial as this, I think we should at all times be
> reconsidering whether the "more good than bad" condition is possibly no
> longer met.  (Of course, some people are convinced that it never was.  I am
> not.  Rather, I am unsure.)

This is probably not a good idea, considering such an increasing interest for this list :)
 
> -OR-
>
> 2. We can just go ahead and review each request for acceptance for the
> existing (linux-)distros lists.  In this case, we'd be less likely to satisfy all of the
> pending requests.  And maybe we should question the subscription of
> Amazon Linux AMI, MontaVista, and Wind River, which are now linux-distros
> members.
>
> -OR-
>
> 3. Setup a separate list for primarily non-free software and primarily non-
> software vendors.  Of the existing linux-distros members, maybe Amazon
> Linux AMI, MontaVista, and Wind River should be moved there.
> (Maybe also Chrome OS?)  And then maybe Enea and VMware would
> reasonably be added, too.  Not sure if IBM is non-free enough to be
> restricted to that list.
>
> The idea behind such list is that we'd let people decide who they want to
> notify: all distros (including this separate list) or just the more free'ish subset
> (not including this separate list).

Is there any reason for this separation? Is this something the upstream projects desire? We all want the same thing, we 
all care about security, that is why people want to be on this list. Is this an attempt to punish companies and their 
open source users just because these companies also have closed source products? What is unfree with Enea Linux?

I think it is good that more people show interest in security and want to be on the list. If being on this list helps 
security updates to spread more quickly, why not let these people/distros in as long as they are serious, reliable and 
follow the rules and processes.

Regards
//Sona