From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: FW: [oss-security] accepting new members to (linux-)distros lists Date: Wed, 05 Jul 2017 13:33:05 -0400 Message-ID: <87van6g566.fsf@netris.org> References: <20170628213609.GA14802@jasmine.lan> <87a84offur.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48033) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dSoBA-0004Fk-Uv for guix-devel@gnu.org; Wed, 05 Jul 2017 13:33:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dSoB7-0004yl-Oj for guix-devel@gnu.org; Wed, 05 Jul 2017 13:33:32 -0400 In-Reply-To: <87a84offur.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sat, 01 Jul 2017 15:26:20 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Leo Famulari skribis: > >> I've seen some members of Guix express doubts about the utility of >> private discussion forums like linux-distros, and I'm sympathetic. >> >> In fact, even without early notification, we are usually shipping >> security updates for embargoed issues within 24 hours of public >> disclosure, and usually within a few hours. And for non-embargoed >> issues, we are shipping fixes earlier than the major distros very often. >> I read the "security update round-ups" on LWN, and typically they are >> full of bugs we already fixed. So, perhaps it wouldn't make a big >> difference in most cases. >> >> But, the "Stack Clash" issues took us by surprise and we spent a few >> days writing and testing our fixes. We are committed to supporting >> 32-bit platforms where these bugs are apparently easy to exploit. >> Without access to the exploits or detailed discussion, it was very >> difficult to know if our fixes actually worked. So, we could have >> responded more quickly and effectively with early notice. >> >> What do people think? Is anyone else interested in applying to join this >> mailing list? Is anyone else willing to stick to the rules and to >> participate? > > Like you say, you (and Mark and others) have been doing excellent work > already without being on that list, but I agree that the early notice > could help in some cases. So overall I think being on linux-distros is > a good idea, and it seems like we meet the criteria. > > The real question is about our commitment to contribute back. > Presumably only one or two of us would be on that list, so they would > largely have that responsibility individually, even if the rest of us > could of course help out as far as the embargo etc. permits. > > Long story short, I would be super happy if you or Mark were on that > list. > > How do you feel about it? It might be that joining linux-distros is the right thing to do, but I don't have the spare capacity to contribute back at this time. Also, I have mixed feelings about promising to keep security flaws a secret for however long I'm asked to do so (which apparently exceeded the time specified in the mailing list rules for Stack Clash). I'm not yet prepared to make such a promise. Mark