Re: independent volunteers on distros list

[Solar Designer <solar () openwall com>]

Hi,

We had independent volunteers subscribed to (linux-)distros since 2017,
as per the announcement over-quoted below.  Initially this was just
Tavis Ormandy.  Later it was also Jason A. Donenfeld.

I appreciate their help.  However, things have changed since 2017 -
we've since introduced specific tasks that specific distros handle,
whereas Tavis and Jason have been inactive as volunteers on the list
lately.  This is understandable as they have a lot of work to do on
other projects.

Thus, as I first communicated to them in private e-mail, I've just
unsubscribed Tavis and Jason, and updated the wiki accordingly (that we
no longer have independent volunteers on the list).

Thank you, Tavis and Jason, for your help.

Alexander

On Thu, May 25, 2017 at 09:37:44PM +0200, Solar Designer wrote:
> Hi,
>
> On the old vendor-sec list (1998(?) - 2011), there were not only distro
> vendors, but also individual volunteers (in fact, I was originally
> invited in that capacity, prior to Openwall having a Linux distro) and
> some major upstream projects (X.Org, Samba).  When vendor-sec ceased to
> exist, I setup the (linux-)distros list(s), intentionally calling them
> such to more clearly draw the line on who's to be accepted and to avoid
> slippery slope.
>
> While I'm still of the opinion that non-distro upstream projects should
> not be on those lists (instead, they are being CC'ed when needed), nor
> subject matter experts with certain domain-specific knowledge (ditto),
> I'd like to change my mind regarding the non-distro volunteers (aka
> security researchers) with broad expertise and a track record of
> evaluating vulnerabilities and fixes and finding more issues in those.
> I am referring e.g. to the aftermath of Shellshock public disclosure.
> Rather than have this happen post-disclosure, we can take the slightly
> higher risk of leaks (from having just a few more people subscribed, and
> perhaps people who are better equipped to deal with confidential
> information than most distros' representatives are) and have better
> understanding and fixes pre-disclosure.
>
> I am convinced there are ways to avoid the slippery slope should the
> issue arise.  There are few people out there who are at the same time
> capable (broad expertise and a track record of finding more issues in
> the fixes), willing, and available to volunteer, and who someone already
> subscribed would vouch for and no one would object against.  Perhaps
> fewer such people than we have distros.  For now these are the criteria,
> but if necessary there are other potential policies we could introduce.
>
> Unlike people subscribed for distros (whose primary reason to be
> subscribed is that they make use of the info to prepare fixes for their
> distro), the non-distro volunteers must be active and helpful in
> discussions as a condition for their continued subscription.  (Indeed,
> being active and helpful is encouraged for the distro subscribers as
> well, but it isn't a strict requirement as long as the distro is making
> good use of the info to prepare fixes.)
>
> The volunteer subscriptions will be of them as individuals, unrelated
> to their employment (if any), and they would be expected not to share
> the information with their employer(s), nor with anyone else, unless
> explicitly permitted.  The employer(s)' vulnerability disclosure
> policies, if any, would not apply.  If this is inconsistent with a
> given researcher's employment, that researcher should not accept to be
> subscribed.
>
> Specifically, at this time I am going to subscribe Tavis Ormandy, who
> happens to have been on vendor-sec.  I've already discussed this with
> him, and he agreed.
>
> I first brought this to distros list itself yesterday (after some
> private discussions with some individual distros, both recently and way
> earlier), and received no objections.  Some of the subscribed distros'
> representatives spoke in favor of this change (some on the list, some
> privately to me) and some also made comments (in particular, that we
> should emphasize that "the volunteer subscriptions will be of them as
> individuals, unrelated to their employment ...", which I did above).
>
> I'd appreciate any further comments that the broader community might
> have, but for now it's a decision made and I'll proceed.
>
> Thanks,
>
> Alexander