Re: Pop!_OS Membership to linux-distros list

[Solar Designer <solar () openwall com>]

Hi Jeremy,

On Tue, Jul 20, 2021 at 02:23:26PM -0600, Jeremy Soller wrote:
> 3. Have a publicly verifiable track record, dating back at least 1 year and
> continuing to present day, of fixing security issues (including some that had
> been handled on (linux-)distros, meaning that membership would have been
> relevant to you) and releasing the fixes within 10 days (and preferably much
> less than that) of the issues being made public (if it takes you ages to fix an
> issue, your users wouldn't substantially benefit from the additional time,
> often around 7 days and sometimes up to 14 days, that list membership could
> give you)
>
> Over the history of Pop!_OS, dating back to 2017, we have maintained critical
> packages and applied security patches soon after they are made public. Our
> membership to this list would significantly help our users stay secure by
> allowing us to prepare and test security updates ahead of public disclosure.
> Please see our GitHub organization for more evidence: https://github.com/pop-os

I think it'd be most convincing for us all to see specific examples of
you having "applied security patches soon after they are made public",
with dates public vs. fixed in Pop!_OS.

> 7. Be able and willing to contribute back (see above), preferably in specific
> ways announced in advance (so that you're responsible for a specific area and
> so that we know what to expect from which member), and demonstrate actual
> contributions once you've been a member for a while
>
> I am able and willing to contribute back.

Please choose a specific task (or several).

I suggest the statistics task:

"13. Keep track of per-report and per-issue handling and disclosure
timelines (at least times of notification of the private list and of
actual public disclosure), at regular intervals produce and share
statistics (most notably, the average embargo duration) as well as the
raw data (except on issues that are still under embargo) by posting to
oss-security - primary: Amazon, backup: Gentoo"

As you can see, it is currently assigned to Amazon and Gentoo, but as
far as I can see neither is actually handling it now, so I'd like to
formally unassign it from them and have another distro handle it.

> 9. Have someone already on the private list, or at least someone else who has
> been active on oss-security for years but is not affiliated with your distro
> nor your organization, vouch for at least one of the people requesting
> membership on behalf of your distro (then that one vouched-for person will be
> able to vouch for others on your team, in case you'd like multiple people
> subscribed)
>
> I do not know if I have contacts that are already on the linux-distros list.

It can also be "someone else who has been active on oss-security for
years but is not affiliated".  Anyone?

Thanks,

Alexander