From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: FW: [oss-security] accepting new members to (linux-)distros lists Date: Fri, 7 Jul 2017 15:18:40 -0400 Message-ID: <20170707191840.GA26371@jasmine.lan> References: <20170628213609.GA14802@jasmine.lan> <87efu3h015.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47592) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dTYm9-0000cO-3W for guix-devel@gnu.org; Fri, 07 Jul 2017 15:18:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTYm4-0004wU-6H for guix-devel@gnu.org; Fri, 07 Jul 2017 15:18:49 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43809) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dTYm3-0004w1-Uz for guix-devel@gnu.org; Fri, 07 Jul 2017 15:18:44 -0400 Content-Disposition: inline In-Reply-To: <87efu3h015.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote: > Leo Famulari writes: >=20 > [...] > > But, the "Stack Clash" issues took us by surprise and we spent a few > > days writing and testing our fixes. We are committed to supporting > > 32-bit platforms where these bugs are apparently easy to exploit. > > Without access to the exploits or detailed discussion, it was very > > difficult to know if our fixes actually worked. So, we could have > > responded more quickly and effectively with early notice. > [...] >=20 > Should we bring this discussion to nix devs as well? I am sure they are > facing the same issue of not having early access to vulnerabilities. It > will be insightful to know how they dealt with it in the past and their > opinions on joining the list. If somebody who has a relationship with the Nix team would like to discuss it with them, I'd be happy to hear the result, but I don't really have time for it right now. Also, we would not be able to discuss embargoed bugs from linux-distros with them, according to the list policy. Besides, I think our present situation and practices regarding security updates is very different from Nix's. They have different tools for shipping security updates, and they do the "stable" branch thing. --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllf3o0ACgkQJkb6MLrK fwjRvhAA6PD6B2WYLzm/BqAHMuJM41G4885KQiEFeZKa44G2FQkTI1+7ORP8XpZK HM8QIHT6cpKuiS4OmEZ2PKd3JAftWaXWE7cQIVFGRq4h6SKiFHCtnOSkRY5iaSuw PHzJZ6JW6Rn82dhA/CUwadmlfEmD/jXyfSljQwbPHw5AF3ldiTxSI+2VVa+BQvCH FoU/oXaa+Z7JNS6VPYS/JpNWWbL3akGynTipngwNnMM6mHeVGm3eyAu0p68lqVed 6r7SYoVx5S+XP6WMNCaWjvXOvux4CFlIqpL0pm0m7mfQMM39p8/uBUBPOQpPpMaZ +D1rVNdFYOyyRcC76Qg0arq9/8AkzlTmPLgeNDN4PEZTh6M2qRSkS8ybWPELVbtT LAJJL57o9ZHPURKqkVawyPqB4H8jbAoxUCYCk/CjkdPotwUf0mxSSrb/yItEFLJh y/RaUx1MqhkBOJhOGcEWNOJ7KxwtLl7PMAJzd3Hi3JfP8sxr6Oe+5u5okbhxCyo2 xrwfOenpnB3pwDRtKMiHwngjBGAhbZfoKaCpaDwwIo7kQpqkkeC02DnTm4HQYQ6X 7DRZFnG/QQil+gO3hq++o1J9Wqs3ab6+V91DfBwEqR3z2gsnYXEl3Su0BtJa3oOW W3XyjRLWl26AO0lncrmojUPECgjK5jM4KBZCxfmW8vYNc7PEkuM= =LzhQ -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC--