[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [oss-security] accepting new members to (linux-)distros lists
From: |
Marius Bakke |
Subject: |
Re: FW: [oss-security] accepting new members to (linux-)distros lists |
Date: |
Thu, 29 Jun 2017 21:27:50 +0200 |
User-agent: |
Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) |
Leo Famulari <address@hidden> writes:
> It was hinted at ~1 week ago in the public "Stack Clash" discussion on
> oss-security, but now there has been an announcement: the private
> linux-distros early-notice security discussion and coordination mailing
> list is accepting new members:
>
> http://seclists.org/oss-sec/2017/q2/638
>
> The criteria are listed in the forwarded message below. I'd say we can
> meet them. Perhaps they'd say that Guix is too obscure, but I don't have
> any idea how many users we have. We'd need to have a good plan for #7,
> "Be able and willing to contribute back". I'm assuming we'd have
> somebody to vouch for us (#9).
>
> I've seen some members of Guix express doubts about the utility of
> private discussion forums like linux-distros, and I'm sympathetic.
>
> In fact, even without early notification, we are usually shipping
> security updates for embargoed issues within 24 hours of public
> disclosure, and usually within a few hours. And for non-embargoed
> issues, we are shipping fixes earlier than the major distros very often.
> I read the "security update round-ups" on LWN, and typically they are
> full of bugs we already fixed. So, perhaps it wouldn't make a big
> difference in most cases.
>
> But, the "Stack Clash" issues took us by surprise and we spent a few
> days writing and testing our fixes. We are committed to supporting
> 32-bit platforms where these bugs are apparently easy to exploit.
> Without access to the exploits or detailed discussion, it was very
> difficult to know if our fixes actually worked. So, we could have
> responded more quickly and effectively with early notice.
>
> What do people think? Is anyone else interested in applying to join this
> mailing list? Is anyone else willing to stick to the rules and to
> participate?
I'm not sure how much I can "contribute back", but it would definitely
be good to have early notice about these sometimes very difficult fixes.
In fact, up until the recent glibc kerfuffle I assumed Guix was already
on oss-distros, thanks to you and Marks incessant vigilance!
I also think we meet the criteria, and really don't want another
instance of "oops, we left i686 vulnerable an extra day because we
didn't have time to test the fix properly". So, I'm willing to join the
application, but would be happy to just have *someone* in the know.
We have a responsibility to keep our users safe, and joining the
linux-distros list would give us some extra leeway which seems like a
smart thing to do given our limited resources.
signature.asc
Description: PGP signature