Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140330183211.GB8534@openwall.com>
Date: Sun, 30 Mar 2014 22:32:11 +0400
From: Solar Designer <solar@...nwall.com>
To: Georgi Guninski <guninski@...inski.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: [OT] FD mailing list died. Time for new one

Georgi,

I reluctantly approved your posting for distribution to oss-security (so
far, 100% of your postings made it to the list), although I find it of
very little value for the reasons given below.  If you post another one
that is about as useless, we will likely reject it.  However, if you
finally do explain things clearly, this might be worth another message.
Maybe make a blog post and announce that.  Try to write it really well.

On Sun, Mar 30, 2014 at 07:41:22PM +0300, Georgi Guninski wrote:
> Just for the record of the old FD,
> i posted there anonymously and
> even killed at least one bug in 
> widely used open source warez in
> un-orthodoxal way.
> 
> The CVE servants got the bug
> significantly later after the
> announcement :)

What's the purpose of posting this?

Like with much other stuff you posted, you're failing to make it clear
just what message you're trying to get across.  Do you want someone to
be doing something differently?  If so, who, and what exactly?  I think
you do have a message, but it's all obfuscated by the hints, sarcasm,
you pretending to be humble ("OT", "don't care" - then why post, as
someone told you).  Maybe try to write _one_ essay where you'd explain
your point of view and the rationale behind it in a way that would be
clear to most readers.  Right now, your anti-CVE stance looks plain
ridiculous to most people, and it'd stay that way unless you explain it
very clearly, with rationale given.  "Oh, those guys support responsible
disclosure, so I'll boycott CVEs even for vulns to be disclosed publicly
right away" does not sound reasonable to most readers, regardless of
whether they'd possibly agree with your opinion (if you did give the
rationale) or not.  If you do have a good rationale for what you're
doing or advocating that others to do(*), then do explain it clearly!

(*) It is unclear what you're advocating people to do, even.  One thing
you did mention is you want a fully unmoderated full-disclosure list -
and you were told (by Fyodor, I think) that you're welcome to set one
up if you like.  I don't think anything else may be done in that respect.

For CVEs, it is _totally_ unclear what you'd like people to be doing or
not doing.  Did you ever explain that?

> maybe solardiz is using the
> mainstream patch i suspect.

I have no idea what you're referring to.  Chances are most folks on
oss-security don't know either.

I'd appreciate it if you tried to make your postings actually useful to
at least someone.

No brief/partial responses to the above, please.  Let's not continue
this thread one tiny bit at a time.  If you feel like responding, and I
hope so, please respond in the form of an essay, covering all of the
issues you find important - without sarcasm, without hints (but with
clear references instead), without pretending to be humble.

And in case you are in fact that humble and you actually "don't care" (I
doubt it), then please don't waste your and anyone else's time.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.