oss-sec mailing list archives
Re: linux-distros subscription
From: Michal Hrusecky <Michal.Hrusecky () nic cz>
Date: Wed, 18 Jan 2017 09:17:15 +0100
Solar Designer - 3:37 15.01.17 wrote:
Hi Michal, On Fri, Jan 13, 2017 at 10:36:11AM +0100, Michal Hrusecky wrote:I would like to request subscription to linux-distros mailing list. I'm one of the maintainers of Turris OS - OpenWRT fork used on Turris and Turris Omnia routers[1]. Not sure what has to be part of application, on wiki[2] I found only that I should request it here.Right. This basically tells us there's interest, and from whom and for what reasons. That's useful, so thanks for posting your request. However, in practice the list membership has been frozen since the last distro addition in April 2014, so for almost 3 years now. Since then, there were only removals and changes in who's subscribed for the previously accepted distros.
Thanks for the info.
Perhaps we'll be forced to re-open this can of worms, or shut down these lists for good. Simply keeping them frozen is unfair to new distros requesting membership now. Simply accepting all who request membership based on mostly objective criteria yet without introducing distro's userbase size as a criterion is, in my opinion, going to make things worse overall (in terms of balance of benefit to users vs. risk of leaks). Yet we might, as long as the benefit-risk is still deemed to be positive (even if less than now). Just to be fair.
Ok, what I forgot to mention is a user-base. Our distribution is quite small, we have about 7 thousand users. Our distribution runs on routers we gave away in the past and new ones that we are selling and both have by default automatic updates enabled - so they get updates including security ones quite soon after we release them.
Here's a thread from 2015 with some half-baked thoughts on the issues: http://www.openwall.com/lists/oss-security/2015/03/20/5
Thanks for the context, I understand it is a hard decision.
Here are some recent requests: http://www.openwall.com/lists/oss-security/2016/10/21/2 http://www.openwall.com/lists/oss-security/2016/10/25/2 What's common about the timing of these: they were triggered by vulnerabilities that attracted a lot of media attention. This may be primarily about publicity and checklists ("our competitors are on that list, we should be too") and only secondarily about security. I do value the persistence of some distros/people reminding me about their requests, though - suggesting their interest is more likely genuine. And your request isn't nearly that "badly" timed. ;-)Probably you will need some proof that I'm who I claim to be. You can see bunch of commits on our gitlab[3] (signed by the same key I'm using to sign this mail) and you can reach me and some of my colleagues on security () turris cz e-mail alias that is also listed as security contact on our web[4]. We have infrastructure in place to work on embargoed issues without disclosing them to public. Not sure whether there are any other requirements to meet. If so, please let me know. [1] https://omnia.turris.cz/en/ [2] http://oss-security.openwall.org/wiki/mailing-lists/distros [3] https://gitlab.labs.nic.cz/turris/openwrt/commits/test [4] https://www.turris.cz/en/contactsWhat would have been some recent issue likely handled via the distros list (this is often stated in the follow-up postings on oss-security, albeit not always) where the advance notification would have helped your project release a fix substantially sooner?
Hard to guess what is there. But basically before we release anything we do test it, so from the point when we learn about the issue, it takes days to release a fix (after commiting fix, we build binaries, do some testing and only after that we release it for everybody). What is most important for us is I would remotely exploitable kernel issues (here testing takes even more time), openssl, openssh and lighttpd.
I notice you fixed OpenSSL CVE-2016-7056 promptly: https://gitlab.labs.nic.cz/turris/openwrt/commit/9aa88e76e70250dd219e8e228162bde045ade4f9 However, that issue wasn't on the distros list. I also notice you've been on oss-security for half a year. That's good. However, I wasn't able to find any record of your past participation in this specific community. You might want to get more involved first.
Yep, using it as one source of information about vulnerabilities we need to fix. Was thinking how to respond to the contribution part, other mails helped me to get some idea what can I do to improve. I admit that I'm new to this field and I'm here mostly to learn about potential threads to our users. Company I work for contributes to security in general, but probably not in this specific community. I'm from CZ.NIC which among other stuff runs Czech CSIRT team. But that is even different department. What we do in our team regarding security is probably nothing that would help us to discover new vulnerabilities. What we do is provide people option to send us firewall logs and we use the results to build greylist[1] and we allow people to check whether their IP tried to attack any of our users[2]. [1] https://www.turris.cz/en/greylist [2] https://amihacked.turris.cz/ Personally, I'm not involved in those projects as I'm working most of the time on our distribution. I asked for the membership as I would be the one handling the issues on our end and I understand the need to limit the audience as much as possible.
And if/when we do re-open the list for additional distros, you'll be able to re-request membership.
Thank you, I will reapply when that happens and in the meantime will think about suggestions others posted about how to contribute back.
Attachment:
signature.asc
Description: Digital signature
Current thread:
- linux-distros subscription Michal Hrusecky (Jan 13)
- Re: linux-distros subscription Solar Designer (Jan 14)
- Re: linux-distros subscription Kurt Seifried (Jan 15)
- Re: linux-distros subscription Solar Designer (Jan 15)
- Re: linux-distros subscription Michal Hrusecky (Jan 18)
- Re: linux-distros subscription Kurt Seifried (Jan 15)
- Re: linux-distros subscription Solar Designer (Jan 14)