Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software

[Scotty Bauer <sbauer () eng utah edu>]

I assume most severe linux bugs are going through the distros list which does exactly as you describe in your mail...

http://oss-security.openwall.org/wiki/mailing-lists/distros

On 02/12/2016 10:52 PM, halfdog wrote:
> Hello List,
>
> As just written in a mail to another list, this might also be
> interesting for discussion here.:
>
> As it would be the most natural thing for e.g. NSA, China, ... (those
> with capabilities to monitor large amount of network traffic) to just
> record all mails from large-scale Linux distribution collaboration and
> issue tracking systems containing the keyword "security", and as this is
> very cheap way to get to near-zero day material, I would assume, that
> this is already done. This is like serving them zero days on a golden
> plate.
>
> Hence really critical security material perhaps should not go to such
> platforms, e.g. Ubuntu Launchpad, or the platform should be modified to
> send security issues only in encrypted mails without talkative title,
> members without mail public key registered should get only message "Bug
> [Number]: Info changed" including the HTTPS link to the issue in the
> platform.
>
> What do you think?
>
> Does someone have a link to anyone having access to the selector lists
> leaked by Snowden to ask them, which of the distros are already in scope
> or otherwise to discard this e-mail as pure paranoia?
>
> Kind regards,
> hd