oss-sec mailing list archives

Re: illumos (or at least danmcd) membership in the distros list

From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Thu, 14 Sep 2023 10:42:19 -0400

On Wed, Sep 13, 2023 at 08:21:22PM +0000, Dan McDonald wrote:

I'm requesting membership (for danmcd () mnx io <mailto:danmcd () mnx io> ) on the "distros" mailing list on behalf 
of illumos ( https://illumos.org ). We would join non-Linux participants such as those from Oracle Solaris, FreeBSD, 
NetBSD, and pkgsrc.

illumos was a fork of the old OpenSolaris, established in 2010.  Once Oracle closed OpenSolaris after illumos forked, 
we became the continuing legacy of what was OpenSolaris's OS/Net consolidation.  Like Linux, we have downstream 
distros.  Unlike Linux, illumos is more than what Linux would call, "kernel".  I know that Oracle Solaris is already 
on this list, but we are not a downstream of them, despite our common ancestry.

For now, I would like to add myself:  danmcd () mnx io.  I will be forwarding under separate cover a copy of this to 
security@illumos,org, which has participants from distros.  In addition to being a member of the illumos security 
team, I'm also the lead for the SmartOS distro of illumos.  Other distro leads may request joining here.

I will now address the eligibility guildelines:

• Be an actively maintained Unix-like operating system distro with substantial use of Open Source components

    • Have a userbase not limited to your own organization


illumos certainly qualifies for these criteria.

• Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing 
security issues (including some that had been handled on (linux-)distros, meaning that membership would have been 
relevant to you) and releasing the fixes within 10 days (and preferably much less than that) of the issues being 
made public (if it takes you ages to fix an issue, your users wouldn't substantially benefit from the additional 
time, often around 7 days and sometimes up to 14 days, that list membership could give you)



There are people on this list who know me from one or more of:

- Old-days of Solaris inside Sun

- OpenSolaris

- illumos

who can vouch for my record here.  As an example, consider this (migrated from blogs.sun.com) post from 2007:  
https://kebe.com/blog/?p=413

• Not be (only) downstream or a rebuild of another distro (or else we need convincing additional justification of 
how the list membership would enable you to release fixes sooner, presumably not relying on the upstream distro 
having released their fixes first?)



Per earlier, because we forked OpenSolaris and Oracle closed it, illumos is the most-upstream in this sphere.

• Be a participant and preferably an active contributor in relevant public communities (most notably, if you're not 
watching for issues being made public on oss-security, which are a superset of those that had been handled on 
(linux-)distros, then there's no valid reason for you to be on (linux-)distros)



If you look at the illumos mailing list, I've addressed a few security vulnerabilities there.  E.g. 
https://illumos.topicbox.com/groups/developer/T13ef186a53edeb5c-M821cc18b5884e04e16daa8fd/cve-2023-31284-buffer-overflow-in-dev-net

• Accept the list policy (see above)
• Be able and willing to contribute back (see above), preferably in specific ways announced in advance (so that 
you're responsible for a specific area and so that we know what to expect from which member), and demonstrate 
actual contributions once you've been a member for a while

    • Be able and willing to handle PGP-encrypted e-mail


I will abide by these.

• Have someone already on the private list, or at least someone else who has been active on oss-security for years 
but is not affiliated with your distro nor your organization, vouch for at least one of the people requesting 
membership on behalf of your distro (then that one vouched-for person will be able to vouch for others on your 
team, in case you'd like multiple people subscribed)


Per above, I believe someone on this maling list can vouch for me.

Thank you,
Dan McDonald -- illumos core team, and SmartOS lead


Would security () illumos org be a better choice?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description:

Current thread:

illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 13)
- Re: illumos (or at least danmcd) membership in the distros list Katherine Mcmillan (Sep 13)
  - Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Bob Friesenhahn (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Demi Marie Obenour (Sep 14)
  - Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
    - Re: illumos (or at least danmcd) membership in the distros list Jean Luc Picard (Sep 14)
  - Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 14)
    - Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Alan Coopersmith (Sep 14)
- Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 15)
  - Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 18)
    - Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
    - Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
    - Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 25)

(Thread continues...)