Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <535A7C5F.9040209@amazon.com>
Date: Fri, 25 Apr 2014 08:16:47 -0700
From: Anthony Liguori <aliguori@...zon.com>
To: <oss-security@...ts.openwall.com>
Subject: Re: Request for linux-distros list membership

On 04/24/14 17:34, Solar Designer wrote:
> So, can someone already on linux-distros and distros
> please volunteer to keep track of all issues being
> brought to these lists (yes, all issues - including those
> that don't affect your distro) and ensure that each one
> of them promptly gets assigned at least a tentative
> public disclosure date, that such date is within list
> policy, that the issue is in fact publicly disclosed on
> that date, and that the disclosure includes a mandatory
> posting specifically to oss-security (as well as to
> anywhere else the disclosing person likes to post)?  If
> any of these requirements are violated (or are about to
> be violated), please yell on the (private) list (CC'ing
> the external reporter of the issue, if applicable) until
> the violation ceases.  Any volunteer(s)?

This sounds like a terrible job for a human but a simple job for a
script.  I think all it really requires is having an agreed upon way to
take disclosure dates.  It is then simple to have a script that (1)
complains when (disclosure date - thread creation date) > max embargo
period (2) complains when a disclosure date has been exceeded without an
indication that there has been a public statement.

The nice thing about using on-list tagging is that it keeps all of the
state on list such that anyone can run the bot on their own.

I would propose we use a system like:

X-Disclosure-Date: 2014-06-01

To set/update the disclosure date for a given thread.  To indicate that
something has been disclosed:

X-Disclosed-On: 2014-06-02T05:00:00Z

I can watch threads for now and make sure metadata is getting tagged but
hopefully over time all list members will participate making it not
depend on one person.  If no one objects, I'll put something together
and send out a pointer to the code.

Regards,

Anthony Liguori

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.