Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120905022830.GA28964@openwall.com>
Date: Wed, 5 Sep 2012 06:28:30 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: (linux-)distros membership changes

Hi,

For the sake of (partial) transparency:

There have been some recent changes in who is subscribed to the
linux-distros@vs list for SUSE and Red Hat (unsubscribes only) and for
Debian and Oracle (a few people leaving and joining).  For all new
members, their subscription was requested by the vendor's security team.

Here's how many people are currently subscribed for each distro, on
linux-distros:

ALT Linux: 1
Android: 1
CentOS: 1
Chrome OS: 1
Debian: 4
Frugalware: 1
Gentoo: 2
Mandriva: 1
MontaVista Software: 1
Openwall: 1
Oracle: 2
Pardus: 2
Red Hat: 7
rPath: 1
Slackware: 1
SUSE: 4
Ubuntu: 6
Wind River: 1

On distros (in addition to all of the above):

FreeBSD: 2
NetBSD/pkgsrc: 3

Initially, we had a policy to announce each person's (un)subscription in
here, but this was noisy and it was maybe-reasonably criticized for
potentially being too transparent - making some people and their specific
e-mail addresses more of a target, although those joining early on were
obvious targets as their distros' security contact persons anyway.
(Of course, all mail from the list to its members is PGP-encrypted,
which partially mitigates the problem in some cases.)

Please let me know if we - the oss-security community - feel that we
should return to that more/too transparent practice.  For now, I feel
that only new vendors joining need to be announced/discussed in here,
whereas routine changes of who from a distro's security team is
subscribed may be handled off-list, and summaries like the above posted
in here once in a while.

For those who don't know what this is about, see:

http://oss-security.openwall.org/wiki/mailing-lists/distros

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.