oss-sec mailing list archives
Re: accepting new members to (linux-)distros lists
From: Solar Designer <solar () openwall com>
Date: Mon, 3 Jul 2017 20:18:57 +0200
On Mon, Jul 03, 2017 at 02:51:27PM +0100, John Haxby wrote:
What I would say though is that embargoed issues that go on a bug tracker should be not be visible to anyone that doesn't have an actual need to know. If an internal bug tracker is generally open to anyone internal then for the purposes of embargo it might as well be public.
I think "might as well be public" is an exaggeration, but this would in fact be against distros list policy.
It _should_ be self-evident that "need to know" includes making sure entries in internal bug trackers need to be similarly restricted but I do wonder if it's worth calling that out explicitly?
You're right. I'm not sure. This isn't the only thing we could call out explicitly. If we start listing examples of what's allowed and what's not, then another one or two would be about testing/QA of fixes, which Gentoo's internal "Pre-Release Disclosure of Vulnerability Information" policy mentions explicitly: https://wiki.gentoo.org/wiki/Project:Security/Pre-Release-Disclosure I added a link to it to the distros list wiki page yesterday, referring to it as an example. If we include such examples directly in the list policy specification, it'd become lengthy and redundant, and I don't want it to be. Maybe this should be a set of examples clarifying yet separate from the list policy specification.
PS For contributing back I have given myself a "must try harder" mark.
Thanks. Please let us know at which specific tasks you'll try harder. Alexander
Current thread:
- Re: accepting new members to (linux-)distros lists, (continued)
- Re: accepting new members to (linux-)distros lists Mark Hatle (Jul 03)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 03)
- Re: accepting new members to (linux-)distros lists Mark Hatle (Jul 03)
- Re: accepting new members to (linux-)distros lists Anthony Liguori (Jul 02)
- Re: accepting new members to (linux-)distros lists Kristian Fiskerstrand (Jul 02)
- Re: accepting new members to (linux-)distros lists Anthony Liguori (Jul 02)
- Re: accepting new members to (linux-)distros lists gremlin (Jul 03)
- Re: accepting new members to (linux-)distros lists Kristian Fiskerstrand (Jul 03)
- Bugzilla implementation of OpenPGP and Memory Hole (Was: Re: [oss-security] accepting new members to (linux-)distros lists) Kristian Fiskerstrand (Jul 03)
- Re: accepting new members to (linux-)distros lists Kristian Fiskerstrand (Jul 02)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 02)
- Re: accepting new members to (linux-)distros lists John Haxby (Jul 03)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 03)
- Re: accepting new members to (linux-)distros lists John Haxby (Jul 03)
- Re: accepting new members to (linux-)distros lists John Haxby (Jul 25)
- Re: accepting new members to (linux-)distros lists Henri Salo (Jul 25)
- Re: accepting new members to (linux-)distros lists John Haxby (Jul 25)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 25)
- Re: accepting new members to (linux-)distros lists John Haxby (Jul 25)
- Re: accepting new members to (linux-)distros lists kseifried () redhat com (Jul 06)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 06)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jul 06)