"going public"

Discussion:

"going public"

Solar Designer

2008-02-15 11:34:01 UTC

Hi,

I'd like to revitalize this list. Two of the things I'd like to do are:

1. Make the xvendor archive public on the web, with e-mail addresses
obfuscated. This will apply to past messages as well (there are 60 of
them so far, this one is the 61st). Initially, I'd host the archive on
the Openwall website only, with full control over how addresses are
obfuscated, etc. Submitting the list to third-party archives, some of
which have far more advanced web interfaces, may be done later.

2. Describe xvendor on a public website - including purpose and policy
of the list. I am not sure what website this should be on; maybe I'll
just put the info somewhere on the Openwall website for lack of a better
place (that would actually receive visitors).

Note that right now the list is not pre-moderated - there's neither
subscription nor message moderation. Perhaps this will have to change
in a while after "going public".

Comments? Objections?

--
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Joey Schulze

2008-02-15 11:40:18 UTC

Permalink

Post by Solar Designer
Hi,
1. Make the xvendor archive public on the web, with e-mail addresses
obfuscated. This will apply to past messages as well (there are 60 of
them so far, this one is the 61st). Initially, I'd host the archive on
the Openwall website only, with full control over how addresses are
obfuscated, etc. Submitting the list to third-party archives, some of
which have far more advanced web interfaces, may be done later.
2. Describe xvendor on a public website - including purpose and policy
of the list. I am not sure what website this should be on; maybe I'll
just put the info somewhere on the Openwall website for lack of a better
place (that would actually receive visitors).
Note that right now the list is not pre-moderated - there's neither
subscription nor message moderation. Perhaps this will have to change
in a while after "going public".
Comments? Objections?

Appreciated!

Regards,

Joey

--
It's time to close the windows.

Solar Designer

2008-02-17 12:48:18 UTC

Permalink

Post by Joey Schulze
Appreciated!

Thank you for the encouragement.

The archives of xvendor and oss-security lists are now available at:

http://www.openwall.com/lists/

along with one-line descriptions of the lists.

Alexander

Sebastian Krahmer

2008-02-18 07:32:49 UTC

Permalink

On Fri, 15 Feb 2008, Solar Designer wrote:

Hi,

Some questions came in mind:

1. Whos actually on the list?
2. Whats its exact purpose? Like vendor-sec? Discussing patches/exploits?
3. vendors are only willing to post private patches if its a closed list
and they know who is subscribed
4. If the purpose is clear it needs some announcement (to the dedicated
folks) so that folks
know about it and it soon drives itself.
5. We should avoid a vendor-sec clone, otherwise the competition will
destroy both lists.

l8er,
Sebastian

--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer-***@public.gmane.org - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Martin Schulze

2008-02-18 07:51:07 UTC

Permalink

Post by Sebastian Krahmer
Hi,
1. Whos actually on the list?
2. Whats its exact purpose? Like vendor-sec? Discussing patches/exploits?

The purpose is to discuss cross-vendor (thus the name) issues. This is
not limited to security problems, and indeed it was meant as an addition
to vendor-sec to be able to discuss other issues as well - such as license
problems with upstream cdrecord or lack of upstream maintenance of cron.
Things like that.

Post by Sebastian Krahmer
3. vendors are only willing to post private patches if its a closed list
and they know who is subscribed

As soon as vendors are releasing their product the patches cannot be
"private" anymore, GPL forbids this, and it's the most frequently used
license.

Post by Sebastian Krahmer
4. If the purpose is clear it needs some announcement (to the dedicated
folks) so that folks
know about it and it soon drives itself.

Several years ago Solar posted an announcement on vendor-sec.

Post by Sebastian Krahmer
5. We should avoid a vendor-sec clone, otherwise the competition will
destroy both lists.

It's purpose is not to discuss security issues but other issues.

Regards,

Joey

--
Computers are not intelligent. They only think they are.

Sebastian Krahmer

2008-02-18 09:23:03 UTC

Permalink

Post by Martin Schulze
The purpose is to discuss cross-vendor (thus the name) issues. This is
not limited to security problems, and indeed it was meant as an addition
to vendor-sec to be able to discuss other issues as well - such as license
problems with upstream cdrecord or lack of upstream maintenance of cron.
Things like that.

Post by Sebastian Krahmer
3. vendors are only willing to post private patches if its a closed list
and they know who is subscribed

As soon as vendors are releasing their product the patches cannot be
"private" anymore, GPL forbids this, and it's the most frequently used
license.

They are private until CRD. And thats the point. That xvendor
can become something like a 2nd level cache of vendor-sec.

Post by Martin Schulze

Post by Sebastian Krahmer
4. If the purpose is clear it needs some announcement (to the dedicated
folks) so that folks
know about it and it soon drives itself.

Several years ago Solar posted an announcement on vendor-sec.

This does not suffice to make it an accepted list.
I guess not much people remember this.

l8er,
S.

--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer-***@public.gmane.org - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Martin Schulze

2008-02-18 09:29:49 UTC

Permalink

Post by Sebastian Krahmer

Post by Martin Schulze

Post by Sebastian Krahmer
4. If the purpose is clear it needs some announcement (to the dedicated
folks) so that folks
know about it and it soon drives itself.

Several years ago Solar posted an announcement on vendor-sec.

This does not suffice to make it an accepted list.
I guess not much people remember this.

True. It never went public on purpose and information hasn't spread
wide. Something I've always regretted.

Regards,

Joey

--
Computers are not intelligent. They only think they are.

Vincent Danen

2008-02-18 16:06:09 UTC

Permalink

Post by Sebastian Krahmer

Post by Sebastian Krahmer
3. vendors are only willing to post private patches if its a closed list
and they know who is subscribed

As soon as vendors are releasing their product the patches cannot be
"private" anymore, GPL forbids this, and it's the most frequently used
license.

They are private until CRD. And thats the point. That xvendor
can become something like a 2nd level cache of vendor-sec.

Yeah, but you would use vendor-sec for that. I think it's quite
intentional that xvendor has no mention of "security" in it (unlike
oss-security, for instance).

As was previously stated, this is a cross-vendor discussion list for
things that affect all distros; Solar used a glibc bug as an example
before. Not necessarily security-related, but affects most of us.

I think xvendor is less related to vendor-sec than oss-security would
be. It might be prudent to look at this way:

- vendor-sec: top level security-only private list (embargoed and
non-public stuff would go here)
- oss-security: mid-level security-only semi-public list (public
discussion on security issues goes here)
- xvendor: bottom-level non-security public list (public discussion on
cross-vendor non-security issues goes here)

I feel bad describing xvendor as a "bottom-level" list, but if you look
at in terms of security (which you're obviously doing) then I think it's
an apt description. xvendor should not be considered security-related
at all and, I think, security topics would largely be off-topic on this
list (that's what oss-security is for).

--
Vincent Danen @ http://linsec.ca/