unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* FW: [oss-security] accepting new members to (linux-)distros lists
@ 2017-06-28 21:36 Leo Famulari
  2017-06-28 22:45 ` ng0
                   ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Leo Famulari @ 2017-06-28 21:36 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 13559 bytes --]

It was hinted at ~1 week ago in the public "Stack Clash" discussion on
oss-security, but now there has been an announcement: the private
linux-distros early-notice security discussion and coordination mailing
list is accepting new members:

http://seclists.org/oss-sec/2017/q2/638

The criteria are listed in the forwarded message below. I'd say we can
meet them. Perhaps they'd say that Guix is too obscure, but I don't have
any idea how many users we have. We'd need to have a good plan for #7,
"Be able and willing to contribute back". I'm assuming we'd have
somebody to vouch for us (#9).

I've seen some members of Guix express doubts about the utility of
private discussion forums like linux-distros, and I'm sympathetic.

In fact, even without early notification, we are usually shipping
security updates for embargoed issues within 24 hours of public
disclosure, and usually within a few hours. And for non-embargoed
issues, we are shipping fixes earlier than the major distros very often.
I read the "security update round-ups" on LWN, and typically they are
full of bugs we already fixed. So, perhaps it wouldn't make a big
difference in most cases.

But, the "Stack Clash" issues took us by surprise and we spent a few
days writing and testing our fixes. We are committed to supporting
32-bit platforms where these bugs are apparently easy to exploit.
Without access to the exploits or detailed discussion, it was very
difficult to know if our fixes actually worked. So, we could have
responded more quickly and effectively with early notice.

What do people think? Is anyone else interested in applying to join this
mailing list? Is anyone else willing to stick to the rules and to
participate?

Leo

----- Forwarded message from Solar Designer <solar@openwall.com> -----

Date: Wed, 28 Jun 2017 22:02:40 +0200
From: Solar Designer <solar@openwall.com>
To: oss-security@lists.openwall.com
Subject: [oss-security] accepting new members to (linux-)distros lists
User-Agent: Mutt/1.4.2.3i

Hi,

I have finally specified the criteria for accepting new members to the
(linux-)distros lists.  I intend to process the requests, which are to
be posted to new threads each (one thread per distro wanting to join).

I put quite some thought (and experience so far) into these criteria,
but I welcome any comments and suggested changes this community might
have.  The list of criteria will be maintained on the wiki:

http://oss-security.openwall.org/wiki/mailing-lists/distros#membership-criteria

Currently, to be eligible for (linux-)distros list membership, your
distro should:

1. Be an actively maintained Unix-like operating system distro with
substantial use of Open Source components

2. Have a userbase not limited to your own organization

3. Have a publicly verifiable track record, dating back at least 1 year
and continuing to present day, of fixing security issues (including some
that had been handled on (linux-)distros, meaning that membership would
have been relevant to you) and releasing the fixes within 10 days (and
preferably much less than that) of the issues being made public (if it
takes you ages to fix an issue, your users wouldn't substantially
benefit from the additional time, often around 7 days and sometimes up
to 14 days, that list membership could give you)

4. Not be (only) downstream or a rebuild of another distro (or else we
need convincing additional justification of how the list membership
would enable you to release fixes sooner, presumably not relying on the
upstream distro having released their fixes first?)

5. Be a participant and preferably an active contributor in relevant
public communities (most notably, if you're not watching for issues
being made public on oss-security, which are a superset of those that
had been handled on (linux-)distros, then there's no valid reason for
you to be on (linux-)distros)

6. Accept the list policy:
http://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-members
(also quoted below)

7. Be able and willing to contribute back, preferably in specific ways
announced in advance (so that you're responsible for a specific area and
so that we know what to expect from which member), and demonstrate
actual contributions once you've been a member for a while:
http://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back
(also quoted below)

8. Be able and willing to handle PGP-encrypted e-mail

9. Have someone already on the private list, or at least someone else
who has been active on oss-security for years but is not affiliated with
your distro nor your organization, vouch for at least one of the people
requesting membership on behalf of your distro (then that one
vouched-for person will be able to vouch for others on your team, in
case you'd like multiple people subscribed)

Membership requests should provide answers per each of these criteria.

I came up with many current tasks/roles that a new or existing member
could usefully help with, thereby contributing to the team effort.
Currently the wiki page lists a total of 18 such items: 5 technical and
13 administrative.  I'd prefer that new membership requests include
specifics on what the new member will contribute - this can be work on
some of these 18 items or/and something else.

Right now, most of these things I listed are everyone's and thus no
one's responsibility (and they often fall back on me as list admin).
I want this to change.  Ideally, we'd list specific distros for each one
of these tasks/roles... and if something required is not done or goes
wrong per one of those roles, we'll ask them to explain why and correct
that for further occasions.  This will also serve to verify that they're
still active and paying attention, replacing my responsiveness tests.

Here are the current tasks/roles to choose from or/and add to:

Technical (in arbitrary order):

1. Propose (other) ways to fix, work around, or mitigate the reported
issues

2. Develop and share fixes, workarounds, or mitigations

3. Review and/or test the proposed patches and point out potential
issues with them (such as incomplete fixes for the originally reported
issues, additional issues you might notice, and newly introduced bugs)

4. Generalize the reported issues to see if other closely related issues
exist (e.g., if a bug is reported against one implementation of X, see
if a similar bug exists in another implementation of X and inform the
list of either result)

5. Produce and share well-reasoned estimates for the time required to
handle the issues under embargo (such as to (re)negotiate the public
disclosure date and/or to choose between the different ways to handle an
issue)

Administrative (roughly in chronological order, although many of these
activities overlap):

1. Promptly review new issue reports for meeting the list's requirements
and confirm receipt of the report and, when necessary, inform the
reporter of any issues with their report (e.g., obviously not actionable
by the distros) and request and/or propose any required yet missing
information (most notably, a tentative public disclosure date)

2. See if the proposed public disclosure date is within list policy, and
if not then insist on getting this corrected and propose a suitable
earlier date

3. Evaluate if the issue (or one of the issues) is effectively already
public (e.g., a fix is committed upstream with a descriptive message)
or/and is low severity and thus the report (or its portion pertaining to
the issue) should be made public right away for one or both of these
reasons, get a few other list members to confirm this understanding, and
if there are no objections then communicate this strong preference to
the reporter

4. Evaluate relevance to other parties, such as the upstream, other
affected distros (not present here), and other Open Source projects, see
if the report mentions notifying any of these, communicate your findings
and possible concerns to the reporter and the list, and stay on top of
the resulting discussion until a decision is made on who else to
possibly notify (or not) and any such notifications are in fact made

5. If multiple issues are reported at once, see if any of them can
reasonably be made public sooner than the rest, and if so help untangle
them and stay on top of their disclosure process

6. If CVE IDs are requested, the report is valid, and you're a CNA,
assign those (requesting any required information from the reporter
first)

7. If the report does not mention CVE IDs (neither requests nor provides
them, and doesn't mention the reporter having requested them elsewhere),
yet the report is valid and it looks like distros will need CVE IDs, and
you're a CNA, ask the reporter whether they have already requested CVE
IDs elsewhere, then assign those if they haven't been requested
elsewhere

8. Stay on top of issues to ensure progress is being made, remind others
when there's no apparent progress, as well as when the public disclosure
date for an issue is approaching and when it's finally reached (unless
the reporter beats you to it by making their mandatory posting to
oss-security first)

9. Monitor relevant public channels (mailing lists, code repositories,
etc.) and inform the reporter and the list in case an issue is made
public prematurely (that is, leaks or is independently rediscovered)

10. Make sure the mandatory oss-security posting is made promptly and is
sufficiently detailed, and remind the reporter if not

11. If exploit(s) were shared on the list, make sure that either they're
included in the oss-security posting along with the issue detail or the
posting includes an announcement of planned later posting of the
exploits (with the delay being within list policy), and in the latter
case also make sure that the later posting is in fact made as planned,
and remind the reporter if not

12. Help evaluate new (linux-)distros list membership requests per the
current criteria (participating in the corresponding oss-security
threads)

13. Vouch for people wanting to join in on behalf of a new distro member
as long as you are confident of their trustworthiness, expected proper
use of the list, and contributions

Finally, I also came up with specific policy on handling of embargoed
information.  Most of this was taken for granted so far, and this worked
well, but there were a few gray areas.  The currently proposed policy,
which list members have to agree to, is as follows:

Aside from your participation in discussions with the reporter and on
the (linux-)distros lists (including possibly continuing to CC other
prior recipients of the information), the information you receive
through the (linux-)distros lists must not be made public, shared, nor
even hinted at anywhere beyond the need-to-know within your distro's
team, until the agreed upon public disclosure date/time, the reporter's
explicit approval, or substantially complete publication by others.

Neither you nor others you inform may use the information for anything
other than getting the issue fixed for your distro's users and, only in
rare extreme cases, for deployment of maximally non-revealing changes to
maintain security of your distro's infrastructure most essential to the
distro users' security in face of the security issue being dealt with.
The need-to-know condition is met only if the person needs to
participate in one of these two activities.

Before you share the information with others within your distro's team
based on their need-to-know, you need to get these people to agree to
these same terms, optionally (and preferably) with the additional
limitation that they may not share the information further (not even
with others on the team, not even based on need-to-know) without
explicit approval by you or another individual directly subscribed to
the (linux-)distros list for your distro.

In the unfortunate event that you happen to share or/and use the
information beyond what's allowed by this policy (thus, creating a
leak), you must urgently (right after you became aware of the leak)
inform the reporter and the (linux-)distros (sub-)list you had received
the information from of the leak and of its extent (if readily known).
You must also conduct an internal investigation of the leak, and inform
the reporter and the list of the exact extent of the leak (to the best
of your knowledge) and of measures (intended to be) taken to prevent
such leaks going forward.

The above is the main policy definition, but in case you prefer the
Traffic Light Protocol, in its terms this is TLP:AMBER with the
need-to-know condition as specified above and with the following
additional limitation on sharing: you must not share the information
with anyone outside of your distro's team, including not within the rest
of your organization nor with your clients or customers, including not
in any derived form (not even through delivering or deploying
undocumented fixes).  Once the embargo is over, this is TLP:WHITE.

I am sorry for the long message.  I quote these pieces from the wiki in
here to allow for quoting in a possible discussion thread - such as for
distros (both those already on the private lists and not) to volunteer
for specific roles (please do!)

Alexander

----- End forwarded message -----

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-06-28 21:36 FW: [oss-security] accepting new members to (linux-)distros lists Leo Famulari
@ 2017-06-28 22:45 ` ng0
  2017-06-29  4:48 ` Alex Vong
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 11+ messages in thread
From: ng0 @ 2017-06-28 22:45 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

Leo Famulari transcribed 14K bytes:
> It was hinted at ~1 week ago in the public "Stack Clash" discussion on
> oss-security, but now there has been an announcement: the private
> linux-distros early-notice security discussion and coordination mailing
> list is accepting new members:
> 
> http://seclists.org/oss-sec/2017/q2/638

W… ouch, some of these points are so very excluding.
If someone of us has the time to invest in there, of course it would
be good.

Guix being too obscure is the in-joke/"explanation"/excuse for
rejection which could happen, of course. But we can still try.
-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
infotropique: https://www.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-06-28 21:36 FW: [oss-security] accepting new members to (linux-)distros lists Leo Famulari
  2017-06-28 22:45 ` ng0
@ 2017-06-29  4:48 ` Alex Vong
  2017-07-07 19:18   ` Leo Famulari
  2017-06-29 19:27 ` Marius Bakke
  2017-07-01 13:26 ` Ludovic Courtès
  3 siblings, 1 reply; 11+ messages in thread
From: Alex Vong @ 2017-06-29  4:48 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 706 bytes --]

Leo Famulari <leo@famulari.name> writes:

[...]
> But, the "Stack Clash" issues took us by surprise and we spent a few
> days writing and testing our fixes. We are committed to supporting
> 32-bit platforms where these bugs are apparently easy to exploit.
> Without access to the exploits or detailed discussion, it was very
> difficult to know if our fixes actually worked. So, we could have
> responded more quickly and effectively with early notice.
[...]

Should we bring this discussion to nix devs as well? I am sure they are
facing the same issue of not having early access to vulnerabilities. It
will be insightful to know how they dealt with it in the past and their
opinions on joining the list.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-06-28 21:36 FW: [oss-security] accepting new members to (linux-)distros lists Leo Famulari
  2017-06-28 22:45 ` ng0
  2017-06-29  4:48 ` Alex Vong
@ 2017-06-29 19:27 ` Marius Bakke
  2017-07-01 13:26 ` Ludovic Courtès
  3 siblings, 0 replies; 11+ messages in thread
From: Marius Bakke @ 2017-06-29 19:27 UTC (permalink / raw)
  To: Leo Famulari, guix-devel

[-- Attachment #1: Type: text/plain, Size: 2545 bytes --]

Leo Famulari <leo@famulari.name> writes:

> It was hinted at ~1 week ago in the public "Stack Clash" discussion on
> oss-security, but now there has been an announcement: the private
> linux-distros early-notice security discussion and coordination mailing
> list is accepting new members:
>
> http://seclists.org/oss-sec/2017/q2/638
>
> The criteria are listed in the forwarded message below. I'd say we can
> meet them. Perhaps they'd say that Guix is too obscure, but I don't have
> any idea how many users we have. We'd need to have a good plan for #7,
> "Be able and willing to contribute back". I'm assuming we'd have
> somebody to vouch for us (#9).
>
> I've seen some members of Guix express doubts about the utility of
> private discussion forums like linux-distros, and I'm sympathetic.
>
> In fact, even without early notification, we are usually shipping
> security updates for embargoed issues within 24 hours of public
> disclosure, and usually within a few hours. And for non-embargoed
> issues, we are shipping fixes earlier than the major distros very often.
> I read the "security update round-ups" on LWN, and typically they are
> full of bugs we already fixed. So, perhaps it wouldn't make a big
> difference in most cases.
>
> But, the "Stack Clash" issues took us by surprise and we spent a few
> days writing and testing our fixes. We are committed to supporting
> 32-bit platforms where these bugs are apparently easy to exploit.
> Without access to the exploits or detailed discussion, it was very
> difficult to know if our fixes actually worked. So, we could have
> responded more quickly and effectively with early notice.
>
> What do people think? Is anyone else interested in applying to join this
> mailing list? Is anyone else willing to stick to the rules and to
> participate?

I'm not sure how much I can "contribute back", but it would definitely
be good to have early notice about these sometimes very difficult fixes.
In fact, up until the recent glibc kerfuffle I assumed Guix was already
on oss-distros, thanks to you and Marks incessant vigilance!

I also think we meet the criteria, and really don't want another
instance of "oops, we left i686 vulnerable an extra day because we
didn't have time to test the fix properly". So, I'm willing to join the
application, but would be happy to just have *someone* in the know.

We have a responsibility to keep our users safe, and joining the
linux-distros list would give us some extra leeway which seems like a
smart thing to do given our limited resources.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-06-28 21:36 FW: [oss-security] accepting new members to (linux-)distros lists Leo Famulari
                   ` (2 preceding siblings ...)
  2017-06-29 19:27 ` Marius Bakke
@ 2017-07-01 13:26 ` Ludovic Courtès
  2017-07-05 17:33   ` Mark H Weaver
  3 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2017-07-01 13:26 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Hello,

Leo Famulari <leo@famulari.name> skribis:

> I've seen some members of Guix express doubts about the utility of
> private discussion forums like linux-distros, and I'm sympathetic.
>
> In fact, even without early notification, we are usually shipping
> security updates for embargoed issues within 24 hours of public
> disclosure, and usually within a few hours. And for non-embargoed
> issues, we are shipping fixes earlier than the major distros very often.
> I read the "security update round-ups" on LWN, and typically they are
> full of bugs we already fixed. So, perhaps it wouldn't make a big
> difference in most cases.
>
> But, the "Stack Clash" issues took us by surprise and we spent a few
> days writing and testing our fixes. We are committed to supporting
> 32-bit platforms where these bugs are apparently easy to exploit.
> Without access to the exploits or detailed discussion, it was very
> difficult to know if our fixes actually worked. So, we could have
> responded more quickly and effectively with early notice.
>
> What do people think? Is anyone else interested in applying to join this
> mailing list? Is anyone else willing to stick to the rules and to
> participate?

Like you say, you (and Mark and others) have been doing excellent work
already without being on that list, but I agree that the early notice
could help in some cases.  So overall I think being on linux-distros is
a good idea, and it seems like we meet the criteria.

The real question is about our commitment to contribute back.
Presumably only one or two of us would be on that list, so they would
largely have that responsibility individually, even if the rest of us
could of course help out as far as the embargo etc. permits.

Long story short, I would be super happy if you or Mark were on that
list.

How do you feel about it?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-07-01 13:26 ` Ludovic Courtès
@ 2017-07-05 17:33   ` Mark H Weaver
  2017-07-07 19:38     ` Leo Famulari
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2017-07-05 17:33 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

ludo@gnu.org (Ludovic Courtès) writes:

> Leo Famulari <leo@famulari.name> skribis:
>
>> I've seen some members of Guix express doubts about the utility of
>> private discussion forums like linux-distros, and I'm sympathetic.
>>
>> In fact, even without early notification, we are usually shipping
>> security updates for embargoed issues within 24 hours of public
>> disclosure, and usually within a few hours. And for non-embargoed
>> issues, we are shipping fixes earlier than the major distros very often.
>> I read the "security update round-ups" on LWN, and typically they are
>> full of bugs we already fixed. So, perhaps it wouldn't make a big
>> difference in most cases.
>>
>> But, the "Stack Clash" issues took us by surprise and we spent a few
>> days writing and testing our fixes. We are committed to supporting
>> 32-bit platforms where these bugs are apparently easy to exploit.
>> Without access to the exploits or detailed discussion, it was very
>> difficult to know if our fixes actually worked. So, we could have
>> responded more quickly and effectively with early notice.
>>
>> What do people think? Is anyone else interested in applying to join this
>> mailing list? Is anyone else willing to stick to the rules and to
>> participate?
>
> Like you say, you (and Mark and others) have been doing excellent work
> already without being on that list, but I agree that the early notice
> could help in some cases.  So overall I think being on linux-distros is
> a good idea, and it seems like we meet the criteria.
>
> The real question is about our commitment to contribute back.
> Presumably only one or two of us would be on that list, so they would
> largely have that responsibility individually, even if the rest of us
> could of course help out as far as the embargo etc. permits.
>
> Long story short, I would be super happy if you or Mark were on that
> list.
>
> How do you feel about it?

It might be that joining linux-distros is the right thing to do, but I
don't have the spare capacity to contribute back at this time.  Also, I
have mixed feelings about promising to keep security flaws a secret for
however long I'm asked to do so (which apparently exceeded the time
specified in the mailing list rules for Stack Clash).  I'm not yet
prepared to make such a promise.

       Mark

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-06-29  4:48 ` Alex Vong
@ 2017-07-07 19:18   ` Leo Famulari
  2017-07-10 15:56     ` Ludovic Courtès
  0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2017-07-07 19:18 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> [...]
> > But, the "Stack Clash" issues took us by surprise and we spent a few
> > days writing and testing our fixes. We are committed to supporting
> > 32-bit platforms where these bugs are apparently easy to exploit.
> > Without access to the exploits or detailed discussion, it was very
> > difficult to know if our fixes actually worked. So, we could have
> > responded more quickly and effectively with early notice.
> [...]
> 
> Should we bring this discussion to nix devs as well? I am sure they are
> facing the same issue of not having early access to vulnerabilities. It
> will be insightful to know how they dealt with it in the past and their
> opinions on joining the list.

If somebody who has a relationship with the Nix team would like to
discuss it with them, I'd be happy to hear the result, but I don't
really have time for it right now. Also, we would not be able to discuss
embargoed bugs from linux-distros with them, according to the list
policy.

Besides, I think our present situation and practices regarding security
updates is very different from Nix's. They have different tools for
shipping security updates, and they do the "stable" branch thing.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-07-05 17:33   ` Mark H Weaver
@ 2017-07-07 19:38     ` Leo Famulari
  2017-07-10 15:53       ` Ludovic Courtès
  0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2017-07-07 19:38 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]

On Wed, Jul 05, 2017 at 01:33:05PM -0400, Mark H Weaver wrote:
> ludo@gnu.org (Ludovic Courtès) writes:
> > The real question is about our commitment to contribute back.
> > Presumably only one or two of us would be on that list, so they would
> > largely have that responsibility individually, even if the rest of us
> > could of course help out as far as the embargo etc. permits.
> >
> > Long story short, I would be super happy if you or Mark were on that
> > list.
> >
> > How do you feel about it?
> 
> It might be that joining linux-distros is the right thing to do, but I
> don't have the spare capacity to contribute back at this time.  Also, I
> have mixed feelings about promising to keep security flaws a secret for
> however long I'm asked to do so (which apparently exceeded the time
> specified in the mailing list rules for Stack Clash).  I'm not yet
> prepared to make such a promise.

I also don't have the time to contribute back to the linux-distros list
at the level required in the list membership criteria.

The work I do for Guix is my best effort and I think it's understood
that, as a volunteer, there will be times when I am unavailable. My
job's schedule is irregular and has to take precedence.

On the other hand, it seems like the linux-distros mailing list
community is trying to formally assign tasks for members to fulfill for
the benefit of their community.

Currently, I can't commit to doing any task by myself for the entire
Linux distro community. Also, I don't think there is anybody on the list
who knows me and could vouch for me alone.

If there were another Guix member who could split the task, and had
someone to vouch for them, that could make it possible. But based on the
replies in the last 10 days, it doesn't seem to be the case.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-07-07 19:38     ` Leo Famulari
@ 2017-07-10 15:53       ` Ludovic Courtès
  2017-07-10 17:24         ` Leo Famulari
  0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2017-07-10 15:53 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Wed, Jul 05, 2017 at 01:33:05PM -0400, Mark H Weaver wrote:
>> ludo@gnu.org (Ludovic Courtès) writes:
>> > The real question is about our commitment to contribute back.
>> > Presumably only one or two of us would be on that list, so they would
>> > largely have that responsibility individually, even if the rest of us
>> > could of course help out as far as the embargo etc. permits.
>> >
>> > Long story short, I would be super happy if you or Mark were on that
>> > list.
>> >
>> > How do you feel about it?
>> 
>> It might be that joining linux-distros is the right thing to do, but I
>> don't have the spare capacity to contribute back at this time.  Also, I
>> have mixed feelings about promising to keep security flaws a secret for
>> however long I'm asked to do so (which apparently exceeded the time
>> specified in the mailing list rules for Stack Clash).  I'm not yet
>> prepared to make such a promise.
>
> I also don't have the time to contribute back to the linux-distros list
> at the level required in the list membership criteria.
>
> The work I do for Guix is my best effort and I think it's understood
> that, as a volunteer, there will be times when I am unavailable. My
> job's schedule is irregular and has to take precedence.
>
> On the other hand, it seems like the linux-distros mailing list
> community is trying to formally assign tasks for members to fulfill for
> the benefit of their community.
>
> Currently, I can't commit to doing any task by myself for the entire
> Linux distro community. Also, I don't think there is anybody on the list
> who knows me and could vouch for me alone.
>
> If there were another Guix member who could split the task, and had
> someone to vouch for them, that could make it possible. But based on the
> replies in the last 10 days, it doesn't seem to be the case.

There’s a handful of Guix contributors who’ve been active on security
fixes, so it would be great if one of them could team up with you!

Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-07-07 19:18   ` Leo Famulari
@ 2017-07-10 15:56     ` Ludovic Courtès
  0 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2017-07-10 15:56 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> [...]
>> > But, the "Stack Clash" issues took us by surprise and we spent a few
>> > days writing and testing our fixes. We are committed to supporting
>> > 32-bit platforms where these bugs are apparently easy to exploit.
>> > Without access to the exploits or detailed discussion, it was very
>> > difficult to know if our fixes actually worked. So, we could have
>> > responded more quickly and effectively with early notice.
>> [...]
>> 
>> Should we bring this discussion to nix devs as well? I am sure they are
>> facing the same issue of not having early access to vulnerabilities. It
>> will be insightful to know how they dealt with it in the past and their
>> opinions on joining the list.
>
> If somebody who has a relationship with the Nix team would like to
> discuss it with them, I'd be happy to hear the result, but I don't
> really have time for it right now. Also, we would not be able to discuss
> embargoed bugs from linux-distros with them, according to the list
> policy.
>
> Besides, I think our present situation and practices regarding security
> updates is very different from Nix's. They have different tools for
> shipping security updates, and they do the "stable" branch thing.

Indeed.  We can learn by working with each other in general, but for
this particular topic I think it wouldn’t be that helpful.  In addition
to having different tools and practices, Nix and Guix are simply
different distros.

Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: FW: [oss-security] accepting new members to (linux-)distros lists
  2017-07-10 15:53       ` Ludovic Courtès
@ 2017-07-10 17:24         ` Leo Famulari
  0 siblings, 0 replies; 11+ messages in thread
From: Leo Famulari @ 2017-07-10 17:24 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]

On Mon, Jul 10, 2017 at 05:53:24PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > If there were another Guix member who could split the task, and had
> > someone to vouch for them, that could make it possible. But based on the
> > replies in the last 10 days, it doesn't seem to be the case.
> 
> There’s a handful of Guix contributors who’ve been active on security
> fixes, so it would be great if one of them could team up with you!

Yes, I'd be willing to apply for membership if I had a partner.

There is also the issue of finding someone to vouch for us. According
to the membership criteria [0]:

"9. Have someone already on the private list, or at least someone else
who has been active on oss-security for years but is not affiliated with
your distro nor your organization, vouch for at least one of the people
requesting membership on behalf of your distro (then that one
vouched-for person will be able to vouch for others on your team, in
case you'd like multiple people subscribed)"

I don't think I know anyone who meets those criteria.

I understand that people may not want to discuss that in public. If we
were ready to apply and this was the final missing piece of the puzzle,
I hope somebody would at least contact me in private to discuss it.

[0]
http://seclists.org/oss-sec/2017/q2/638

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2017-07-10 17:24 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-28 21:36 FW: [oss-security] accepting new members to (linux-)distros lists Leo Famulari
2017-06-28 22:45 ` ng0
2017-06-29  4:48 ` Alex Vong
2017-07-07 19:18   ` Leo Famulari
2017-07-10 15:56     ` Ludovic Courtès
2017-06-29 19:27 ` Marius Bakke
2017-07-01 13:26 ` Ludovic Courtès
2017-07-05 17:33   ` Mark H Weaver
2017-07-07 19:38     ` Leo Famulari
2017-07-10 15:53       ` Ludovic Courtès
2017-07-10 17:24         ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).