Re: linux-distros membership application - Microsoft

[Solar Designer <solar () openwall com>]

On Sat, Jul 06, 2019 at 06:29:36PM -0400, Sasha Levin wrote:
> On Sat, Jul 06, 2019 at 09:37:37PM +0200, Solar Designer wrote:
> > On Fri, Jun 28, 2019 at 01:08:12PM -0400, Sasha Levin wrote:
> > > Can I suggest that we fork the discussion around security-bugs.rst to
> > > LKML? I can suggest an initial patch to address your comments here but I
> > > think that this is better handled on LKML.
> >
> > Yes, please.
>
> Sure, give me a day or two to get it out. I'll cross-post
> LKML/ksummit-discuss/oss-security

Please just take this to LKML, without CC to oss-security.  We can
summarize the changes for oss-security separately.  I don't know about
relevance to ksummit-discuss.

> as I think it's one of those times it actually makes sense.

This might or might not be an exception, but in general CC'ing a thread
to LKML and oss-security is problematic and is specifically discouraged
in oss-security content guidelines:

https://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"Please don't cross-post messages to oss-security and other mailing
lists at once, especially not to high-volume lists such as LKML and
netdev, as this tends to result in threads that wander partially or
fully off-topic (e.g., Linux kernel coding style detail may end up being
discussed in comments to a patch posted to LKML, but it would be
off-topic for oss-security).  If you feel that something needs to be
posted to oss-security and to another list, please make separate
postings.  You may mention the other posting(s) in your oss-security
posting, and even link to other lists' archives."

> > More importantly, maybe we shouldn't list "Microsoft" as a member of
> > linux-distros.  Microsoft is so much more than the recent Linux-based
> > products and services.  We similarly list "Amazon Linux AMI" rather than
> > "Amazon", and "Chrome OS" rather than "Google" (and we had separately
> > listed "Android", which has since unsubscribed), and "Ubuntu" rather
> > than "Canonical".  OTOH, we were not as careful to list proper products,
> > etc. for some others such as "Oracle".
> >
> > If we list "Microsoft", this might be especially confusing since issues
> > being reported might also be relevant to Windows.  The reporters need to
> > know they're not reaching Windows security team unless they specifically
> > authorize that.
> >
> > Any suggestions on the above?
>
> Yes, this is tricky. Maybe "Microsoft Linux Systems Group"? Thats our
> group name within Microsoft. I guess that we can also add a short wiki
> page with references to the products/distros we support as well as a
> clarification that this has nothing to do with Windows and list MSRC's
> contact information.

I think listing "Microsoft Linux Systems Group" is enough to avoid the
confusion.  I support Moritz's request for you to add to our existing
wiki pages with vendors' security contact information, and you can list
the pertaining products/distros nearby.

Alexander