oss-sec mailing list archives
Re: linux-distros membership application - Microsoft
From: Sasha Levin <sashal () kernel org>
Date: Sun, 11 Aug 2019 22:47:51 -0400
On Thu, Jun 27, 2019 at 04:03:21PM +0200, Solar Designer wrote:
On Wed, Jun 26, 2019 at 10:13:58AM -0400, Sasha Levin wrote:We understand this need and will be contributing back. Looking at the list of vacant positions I can suggest the following, but I suspect that existing list members will have better suggestions. Technical: 3. Review and/or test the proposed patches and point out potential issues with them (such as incomplete fixes for the originally reported issues, additional issues you might notice, and newly introduced bugs), and inform the list of the work done even if no issues were encountered - primary: Amazon, backup: vacant Administrative: 3. Evaluate if the issue (or one of the issues) is effectively already public (e.g., a fix is committed upstream with a descriptive message) or/and is low severity and thus the report (or its portion pertaining to the issue) should be made public right away for one or both of these reasons, get a few other list members to confirm this understanding, and if there are no objections then communicate this strong preference to the reporter - primary: CloudLinux, backup: vacantIf Microsoft volunteers for these, I'd like that to be in "primary" role at least for the technical task of "3. Review and/or test the proposed patches ..." I think Amazon hasn't been doing enough on that front, especially given the request to "inform the list of the work done even if no issues were encountered". Given this request, if this were seriously worked on, I would have expected such reports from Amazon on almost every issue handled on linux-distros, but this wasn't the case. I also would like a distro (maybe Microsoft) to volunteer for Technical: 4. Check if related issues exist in the same piece of software (e.g., same bug class common across the software, or other kinds of bugs exist in its problematic component), and inform the list either way and Administrative: 4. Evaluate relevance to other parties such as the upstream, other affected distros (not present on the (sub-)list), and other Open Source projects, see if the report mentions notifying any of these, communicate your findings and possible concerns to the reporter and the list, and stay on top of the resulting discussion until a decision is made on who else to possibly notify (or not) and any such notifications are in fact made (with the reporter's approval) These are completely unclaimed now, but are much needed. For Technical "4. Check if related issues exist ...", we sometimes get some helpful for varying distros' package maintainers and such, but this is not consistent. For example, recently Takashi Iwai of SUSE helped with Linux Marvell Wi-Fi driver issues - thanks! - but this is more of an exception than the rule. The lack of a volunteer distro for Administrative "4. Evaluate relevance to other parties ..." came up e.g. here: "Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460)" https://www.openwall.com/lists/oss-security/2019/01/11/2
Since Ubuntu took over quite a few tasks (thanks!), I can suggest the following tasks for Microsoft: As primary, administrative: "4. Evaluate relevance to other parties such as the upstream, other affected distros (not present on the (sub-)list), and other Open Source projects, ...". As backup, administrative: "3. Evaluate if the issue (or one of the issues) is effectively already public ...". I can also offer to act as a liason between linux-distros and security@k.o now, and MSRC in the future. -- Thanks, Sasha
Current thread:
- Re: linux-distros membership application - Microsoft, (continued)
- Re: linux-distros membership application - Microsoft Solar Designer (Jul 06)
- Re: linux-distros membership application - Microsoft Sasha Levin (Jul 06)
- Re: linux-distros membership application - Microsoft Moritz Muehlenhoff (Jul 07)
- Re: linux-distros membership application - Microsoft Sasha Levin (Jul 12)
- Re: linux-distros membership application - Microsoft Solar Designer (Jul 08)
- Re: linux-distros membership application - Microsoft Sasha Levin (Jul 06)
- Re: linux-distros membership application - Microsoft Georgi Guninski (Jul 07)
- Re: linux-distros membership application - Microsoft Solar Designer (Jul 07)
- Re: linux-distros membership application - Microsoft David A. Wheeler (Jul 08)
- Re: linux-distros membership application - Microsoft Stuart D. Gathman (Jul 08)
- Re: linux-distros membership application - Microsoft Solar Designer (Jul 06)
- Re: linux-distros membership application - Microsoft Solar Designer (Aug 12)