From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: FW: [oss-security] accepting new members to (linux-)distros lists
Date: Thu, 29 Jun 2017 21:27:50 +0200
Message-ID: <87efu2mw5l.fsf@fastmail.com>
References: <20170628213609.GA14802@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54883)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1dQf6b-0004TI-TZ
	for guix-devel@gnu.org; Thu, 29 Jun 2017 15:27:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1dQf6X-0007fF-SO
	for guix-devel@gnu.org; Thu, 29 Jun 2017 15:27:57 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:36247)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1dQf6X-0007ej-AS
	for guix-devel@gnu.org; Thu, 29 Jun 2017 15:27:53 -0400
In-Reply-To: <20170628213609.GA14802@jasmine.lan>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>, guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@famulari.name> writes:

> It was hinted at ~1 week ago in the public "Stack Clash" discussion on
> oss-security, but now there has been an announcement: the private
> linux-distros early-notice security discussion and coordination mailing
> list is accepting new members:
>
> http://seclists.org/oss-sec/2017/q2/638
>
> The criteria are listed in the forwarded message below. I'd say we can
> meet them. Perhaps they'd say that Guix is too obscure, but I don't have
> any idea how many users we have. We'd need to have a good plan for #7,
> "Be able and willing to contribute back". I'm assuming we'd have
> somebody to vouch for us (#9).
>
> I've seen some members of Guix express doubts about the utility of
> private discussion forums like linux-distros, and I'm sympathetic.
>
> In fact, even without early notification, we are usually shipping
> security updates for embargoed issues within 24 hours of public
> disclosure, and usually within a few hours. And for non-embargoed
> issues, we are shipping fixes earlier than the major distros very often.
> I read the "security update round-ups" on LWN, and typically they are
> full of bugs we already fixed. So, perhaps it wouldn't make a big
> difference in most cases.
>
> But, the "Stack Clash" issues took us by surprise and we spent a few
> days writing and testing our fixes. We are committed to supporting
> 32-bit platforms where these bugs are apparently easy to exploit.
> Without access to the exploits or detailed discussion, it was very
> difficult to know if our fixes actually worked. So, we could have
> responded more quickly and effectively with early notice.
>
> What do people think? Is anyone else interested in applying to join this
> mailing list? Is anyone else willing to stick to the rules and to
> participate?

I'm not sure how much I can "contribute back", but it would definitely
be good to have early notice about these sometimes very difficult fixes.
In fact, up until the recent glibc kerfuffle I assumed Guix was already
on oss-distros, thanks to you and Marks incessant vigilance!

I also think we meet the criteria, and really don't want another
instance of "oops, we left i686 vulnerable an extra day because we
didn't have time to test the fix properly". So, I'm willing to join the
application, but would be happy to just have *someone* in the know.

We have a responsibility to keep our users safe, and joining the
linux-distros list would give us some extra leeway which seems like a
smart thing to do given our limited resources.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAllVVLYACgkQoqBt8qM6
VPrkEQf8CwegSMKyVG6onI26jNgt+fu25qL6ZlXh9mOjmv9BPstWTuQqR6vHF09H
CYqYCx2LnIcuXGrpme3+5y5vZMILLLA8zSmlQPVW1K4IPqWx08aXpHll/QCuZOht
dryyKq9mIc3i1ocZ6nutip91BDl7AweaW+xa1k1GKp9RP260gAo3pVhGR5ZtPNUl
w9Dq4R+obGGQll6NKPvu+SbbVgLpG7/GfkzW2fUBpBibwwu5RsHLlzXEc6h/Biha
QAJxQ8xiTsnGbRxsQXPxBczWgEBZozuaAgmPOXtn92R4zYh9ynKBUI3UXnMmBxHe
vK3gjvNbWQZFPDyOkCJGpy5inCof6Q==
=Ldfz
-----END PGP SIGNATURE-----
--=-=-=--