guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [oss-security] accepting new members to (linux-)distros lists

From: Mark H Weaver
Subject: Re: FW: [oss-security] accepting new members to (linux-)distros lists
Date: Wed, 05 Jul 2017 13:33:05 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) 
address@hidden (Ludovic Courtès) writes:

> Leo Famulari <address@hidden> skribis:
>
>> I've seen some members of Guix express doubts about the utility of
>> private discussion forums like linux-distros, and I'm sympathetic.
>>
>> In fact, even without early notification, we are usually shipping
>> security updates for embargoed issues within 24 hours of public
>> disclosure, and usually within a few hours. And for non-embargoed
>> issues, we are shipping fixes earlier than the major distros very often.
>> I read the "security update round-ups" on LWN, and typically they are
>> full of bugs we already fixed. So, perhaps it wouldn't make a big
>> difference in most cases.
>>
>> But, the "Stack Clash" issues took us by surprise and we spent a few
>> days writing and testing our fixes. We are committed to supporting
>> 32-bit platforms where these bugs are apparently easy to exploit.
>> Without access to the exploits or detailed discussion, it was very
>> difficult to know if our fixes actually worked. So, we could have
>> responded more quickly and effectively with early notice.
>>
>> What do people think? Is anyone else interested in applying to join this
>> mailing list? Is anyone else willing to stick to the rules and to
>> participate?
>
> Like you say, you (and Mark and others) have been doing excellent work
> already without being on that list, but I agree that the early notice
> could help in some cases.  So overall I think being on linux-distros is
> a good idea, and it seems like we meet the criteria.
>
> The real question is about our commitment to contribute back.
> Presumably only one or two of us would be on that list, so they would
> largely have that responsibility individually, even if the rest of us
> could of course help out as far as the embargo etc. permits.
>
> Long story short, I would be super happy if you or Mark were on that
> list.
>
> How do you feel about it?

It might be that joining linux-distros is the right thing to do, but I
don't have the spare capacity to contribute back at this time.  Also, I
have mixed feelings about promising to keep security flaws a secret for
however long I'm asked to do so (which apparently exceeded the time
specified in the mailing list rules for Stack Clash).  I'm not yet
prepared to make such a promise.

       Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]