headers
Solar Designer | 15 Feb 12:31

"going public"

Hi,

I'd like to revitalize this list.  Two of the things I'd like to do are:

1. Make the xvendor archive public on the web, with e-mail addresses
obfuscated.  This will apply to past messages as well (there are 60 of
them so far, this one is the 61st).  Initially, I'd host the archive on
the Openwall website only, with full control over how addresses are
obfuscated, etc.  Submitting the list to third-party archives, some of
which have far more advanced web interfaces, may be done later.

2. Describe xvendor on a public website - including purpose and policy
of the list.  I am not sure what website this should be on; maybe I'll
just put the info somewhere on the Openwall website for lack of a better
place (that would actually receive visitors).

Note that right now the list is not pre-moderated - there's neither
subscription nor message moderation.  Perhaps this will have to change
in a while after "going public".

Comments?  Objections?

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments
Permalink | Reply |
headers
Joey Schulze | 15 Feb 12:40
Favicon

Re: "going public"

Solar Designer wrote:
> Hi,
> 
> I'd like to revitalize this list.  Two of the things I'd like to do are:
> 
> 1. Make the xvendor archive public on the web, with e-mail addresses
> obfuscated.  This will apply to past messages as well (there are 60 of
> them so far, this one is the 61st).  Initially, I'd host the archive on
> the Openwall website only, with full control over how addresses are
> obfuscated, etc.  Submitting the list to third-party archives, some of
> which have far more advanced web interfaces, may be done later.
> 
> 2. Describe xvendor on a public website - including purpose and policy
> of the list.  I am not sure what website this should be on; maybe I'll
> just put the info somewhere on the Openwall website for lack of a better
> place (that would actually receive visitors).
> 
> Note that right now the list is not pre-moderated - there's neither
> subscription nor message moderation.  Perhaps this will have to change
> in a while after "going public".
> 
> Comments?  Objections?

Appreciated!

Regards,

	Joey

--

--
(Continue reading)

Permalink | Reply |
headers
Solar Designer | 17 Feb 13:48

Re: "going public"

On Fri, Feb 15, 2008 at 12:40:18PM +0100, Joey Schulze wrote:
> Appreciated!

Thank you for the encouragement.

The archives of xvendor and oss-security lists are now available at:

http://www.openwall.com/lists/

along with one-line descriptions of the lists.

Alexander
Permalink | Reply |
headers
Sebastian Krahmer | 18 Feb 08:32
Favicon

Re: "going public"

On Fri, 15 Feb 2008, Solar Designer wrote:

Hi,

Some questions came in mind:

1. Whos actually on the list?
2. Whats its exact purpose? Like vendor-sec? Discussing patches/exploits?
3. vendors are only willing to post private patches if its a closed list
   and they know who is subscribed
4. If the purpose is clear it needs some announcement (to the dedicated 
   folks) so that folks
   know about it and it soon drives itself.
5. We should avoid a vendor-sec clone, otherwise the competition will
   destroy both lists.

l8er,
Sebastian

> Hi,
> 
> I'd like to revitalize this list.  Two of the things I'd like to do are:
> 
> 1. Make the xvendor archive public on the web, with e-mail addresses
> obfuscated.  This will apply to past messages as well (there are 60 of
> them so far, this one is the 61st).  Initially, I'd host the archive on
> the Openwall website only, with full control over how addresses are
> obfuscated, etc.  Submitting the list to third-party archives, some of
> which have far more advanced web interfaces, may be done later.
>
(Continue reading)

Permalink | Reply |
headers
Martin Schulze | 18 Feb 08:51
Favicon

Re: "going public"

Sebastian Krahmer wrote:
> On Fri, 15 Feb 2008, Solar Designer wrote:
> 
> Hi,
> 
> Some questions came in mind:
> 
> 1. Whos actually on the list?
> 2. Whats its exact purpose? Like vendor-sec? Discussing patches/exploits?

The purpose is to discuss cross-vendor (thus the name) issues.  This is
not limited to security problems, and indeed it was meant as an addition
to vendor-sec to be able to discuss other issues as well - such as license
problems with upstream cdrecord or lack of upstream maintenance of cron.
Things like that.

> 3. vendors are only willing to post private patches if its a closed list
>    and they know who is subscribed

As soon as vendors are releasing their product the patches cannot be
"private" anymore, GPL forbids this, and it's the most frequently used
license.

> 4. If the purpose is clear it needs some announcement (to the dedicated 
>    folks) so that folks
>    know about it and it soon drives itself.

Several years ago Solar posted an announcement on vendor-sec.

> 5. We should avoid a vendor-sec clone, otherwise the competition will
(Continue reading)

Permalink | Reply |
headers
Sebastian Krahmer | 18 Feb 10:23
Favicon

Re: "going public"

On Mon, 18 Feb 2008, Martin Schulze wrote:

> 
> The purpose is to discuss cross-vendor (thus the name) issues.  This is
> not limited to security problems, and indeed it was meant as an addition
> to vendor-sec to be able to discuss other issues as well - such as license
> problems with upstream cdrecord or lack of upstream maintenance of cron.
> Things like that.
> 
> > 3. vendors are only willing to post private patches if its a closed list
> >    and they know who is subscribed
> 
> As soon as vendors are releasing their product the patches cannot be
> "private" anymore, GPL forbids this, and it's the most frequently used
> license.
They are private until CRD. And thats the point. That xvendor
can become something like a 2nd level cache of vendor-sec.

> 
> > 4. If the purpose is clear it needs some announcement (to the dedicated 
> >    folks) so that folks
> >    know about it and it soon drives itself.
> 
> Several years ago Solar posted an announcement on vendor-sec.
> 
This does not suffice to make it an accepted list.
I guess not much people remember this.

l8er,
S.
(Continue reading)

Permalink | Reply |
headers
Martin Schulze | 18 Feb 10:29
Favicon

Re: "going public"

Sebastian Krahmer wrote:
> > > 4. If the purpose is clear it needs some announcement (to the dedicated 
> > >    folks) so that folks
> > >    know about it and it soon drives itself.
> > 
> > Several years ago Solar posted an announcement on vendor-sec.
> > 
> This does not suffice to make it an accepted list.
> I guess not much people remember this.

True.  It never went public on purpose and information hasn't spread
wide.  Something I've always regretted.

Regards,

	Joey

--

-- 
Computers are not intelligent.  They only think they are.
Permalink | Reply |
headers
Vincent Danen | 18 Feb 17:06
Favicon

Re: "going public"

* [2008-02-18 10:23:03 +0100] Sebastian Krahmer wrote:

>> The purpose is to discuss cross-vendor (thus the name) issues.  This is
>> not limited to security problems, and indeed it was meant as an addition
>> to vendor-sec to be able to discuss other issues as well - such as license
>> problems with upstream cdrecord or lack of upstream maintenance of cron.
>> Things like that.
>> 
>> > 3. vendors are only willing to post private patches if its a closed list
>> >    and they know who is subscribed
>> 
>> As soon as vendors are releasing their product the patches cannot be
>> "private" anymore, GPL forbids this, and it's the most frequently used
>> license.
>They are private until CRD. And thats the point. That xvendor
>can become something like a 2nd level cache of vendor-sec.

Yeah, but you would use vendor-sec for that.  I think it's quite
intentional that xvendor has no mention of "security" in it (unlike
oss-security, for instance).

As was previously stated, this is a cross-vendor discussion list for
things that affect all distros; Solar used a glibc bug as an example
before.  Not necessarily security-related, but affects most of us.

I think xvendor is less related to vendor-sec than oss-security would
be.  It might be prudent to look at this way:

- vendor-sec: top level security-only private list (embargoed and
	non-public stuff would go here)
(Continue reading)

Permalink | Reply |

Gmane