[arch-general] [Announcement] Discussion about restricting arch-security for public participation
Dear arch-security subscribers, Dear arch-general subscribers, the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists. As there was no announcement and discussion about this change yet, we want to invite you to discuss the restriction of the arch-security mailinglist on the CC-ed arch-general list. After making sure you are subscribed to arch-general [2], you can simply reply to this announcement by posting directly to the arch-general mailinglist. Our main goal behind this change is to separate relevant official announcements and advisories from possibly long and frequent discussions. The security teams idea is that each announcement to the arch-security list should be considered as an urgent alert and reviewed as soon as possible, without the need to filter them from general conversations and exchange of "unverified" information. sincerely, Levente (anthraxx) [0] https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html [1] https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.h... [2] https://lists.archlinux.org/listinfo/arch-general
On 27 January 2016 at 22:41, Levente Polyak <anthraxx@archlinux.org> wrote:
the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
As there was no announcement and discussion about this change yet, we want to invite you to discuss the restriction of the arch-security
IMHO, the change looks fine and similar to how others do it. So: +1. t' -- (nil)
the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
I noticed this change when I tried to reply to today's nginx advisory by mentioning that nginx-mainline (in the AUR, but officially supported by nginx and relevant to the nginx advisory) was also affected, and also updated in the AUR. I don't think we should use arch-security for AUR security advisories in general, but I felt like that email was pretty on-topic for the mailing list under these circumstances. Mailman lets you set a list to moderated, which requires each email to be manually approved by a moderator. I think that using this feature would be a good strategy so that moderators can use their best judgement on a case-by-case basis. I can't imagine the workload being very high, considering that prior to this change we were seeing, on average, <1 thread per month that was not a straightforward security advisory. Considering the low volume of arch-security in the first place, I feel like this is a solution looking for a problem anyway. I've never felt that the signal:noise ratio on arch-security is a problem. The email thread mentioned in Christian's email to arch-devops is very unusual, at least for the time I've been subscribed to arch-security for. If that sort of content shouldn't appear on the list, then a better solution would be to enable mailman's moderation than to blanketly ban all posts to the ML. Aside: we should strive to make sure that mailing lists are involved in discussions that affect them _before_ decisions are made. -- Drew DeVault
On 28-01-2016 00:41, Levente Polyak wrote:
Our main goal behind this change is to separate relevant official announcements and advisories from possibly long and frequent discussions. The security teams idea is that each announcement to the arch-security list should be considered as an urgent alert and reviewed as soon as possible, without the need to filter them from general conversations and exchange of "unverified" information.
I suppose that what you propose is how security mailing lists of other distros work, so no surprise here. Do it. Anyone wanting to discuss an announcement can do it in arch-general. -- Mauro Santos
I see that there is certain interest in separating messages about security updates in given packages from general security discussions and announcements. Nonetheless if the arch-security list becomes closed down for public participation then we are in need of a new list for the latter two purposes. Am 2016-01-28 um 01:41 schrieb Levente Polyak:
Dear arch-security subscribers, Dear arch-general subscribers,
the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
As there was no announcement and discussion about this change yet, we want to invite you to discuss the restriction of the arch-security mailinglist on the CC-ed arch-general list. After making sure you are subscribed to arch-general [2], you can simply reply to this announcement by posting directly to the arch-general mailinglist.
Our main goal behind this change is to separate relevant official announcements and advisories from possibly long and frequent discussions. The security teams idea is that each announcement to the arch-security list should be considered as an urgent alert and reviewed as soon as possible, without the need to filter them from general conversations and exchange of "unverified" information.
sincerely, Levente (anthraxx)
[0] https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html [1] https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.h... [2] https://lists.archlinux.org/listinfo/arch-general
Now there are different opinions about this: Some people certainly estimate comments, questions and discussion about security issues which do not solely pertain to updates of packages for already known security issues. Allowing discussion about potential security risks is also an important issue though certain package maintainers and arch-security personnel may feel discomforted about such discussions. Nonetheless I would believe such discussion to be worthwhile and important. Those who do not want to read it will not need to as soon as we have separate lists for "Discussion about security issues in Arch" and "Package updates for Arch resolving already known security issues". Just read f.i. the following message from Luchesar V. ILIEV: -------- Weitergeleitete Nachricht -------- Betreff: Re: [arch-security] strange netstat connections after having opened Firefox Datum: Sat, 5 Dec 2015 15:46:32 +0200 Von: Luchesar V. ILIEV <luchesar.iliev@gmail.com> Antwort an: Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> An: Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> On 5 December 2015 at 14:01, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
This mailinglist has a daily-business todo and was not designed for discussions. [...]
The list name however says "Discussion about security issues in Arch Linux and its packages". That being said, I understand what you mean and agree with it.
[...] This mailinglist's main task is to inform subscribers about newest vulnerabilities.
So, could perhaps the list be split into two: one list for security-related discussions and one---moderated or even "read-only"---strictly for security announcements? For example, FreeBSD has these: freebsd-security: Security issues [members-only posting] freebsd-security-notifications: Moderated Security Notifications [moderated, low volume] The rationale is probably obvious. On one hand, people indeed expect a list used for security announcements to be used _only_ for this. Some might, for example, have set filters that mark such messages as urgent, display nagging pop ups, etc. On the other hand, the plain old e-mail still has value as a media for discussions. For example, it's not very practical to digitally sign forum postings, and IRC is a wholly different type of communication that might not always be appropriate. Cheers, Luchesar P.S. Slightly off-topic: my sincerest gratitude to everyone behind the security announcements! You're doing a great job, and this is not just empty words. Am 2016-01-28 um 13:06 schrieb Elmar Stellnberger:
I see that there is certain interest in separating messages about security updates in given packages from general security discussions and announcements. Nonetheless if the arch-security list becomes closed down for public participation then we are in need of a new list for the latter two purposes.
Am 2016-01-28 um 01:41 schrieb Levente Polyak:
Dear arch-security subscribers, Dear arch-general subscribers,
the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
As there was no announcement and discussion about this change yet, we want to invite you to discuss the restriction of the arch-security mailinglist on the CC-ed arch-general list. After making sure you are subscribed to arch-general [2], you can simply reply to this announcement by posting directly to the arch-general mailinglist.
Our main goal behind this change is to separate relevant official announcements and advisories from possibly long and frequent discussions. The security teams idea is that each announcement to the arch-security list should be considered as an urgent alert and reviewed as soon as possible, without the need to filter them from general conversations and exchange of "unverified" information.
sincerely, Levente (anthraxx)
[0] https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html
[1] https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.h...
On 01/28/2016 04:29 PM, Elmar Stellnberger wrote:
Now there are different opinions about this: Some people certainly estimate comments, questions and discussion about security issues which do not solely pertain to updates of packages for already known security issues. Allowing discussion about potential security risks is also an important issue though certain package maintainers and arch-security personnel may feel discomforted about such discussions. Nonetheless I would believe such discussion to be worthwhile and important.
first at all: please follow the general Arch Linux mailinlist rules and always bottom-post. Also I would like to state that you still have the possibility to do so, you can safely discuss anything Arch Linux related (which includes security) on arch-general. That is (and was) already done in the history, most recent threads f.e.: "AppArmor on linux-grsec" [0], "pacman signature verification" [1], "SELinux on Arch" [2]... In my opinion I don't feel like we are urged to have a separate list as most of the time the topics blur the line and splitting it does not provide much benefit. On 01/28/2016 04:29 PM, Elmar Stellnberger wrote:
P.S. Slightly off-topic: my sincerest gratitude to everyone behind the security announcements! You're doing a great job, and this is not just empty words.
Thank you very much, that is appreciated and makes us happy... however to be pedantic: Most of the work needs to be done before any announcements, that is just the (smallest) final step :) cheers, Levente [0] https://lists.archlinux.org/pipermail/arch-general/2016-January/040516.html [1] https://lists.archlinux.org/pipermail/arch-general/2016-January/040505.html [2] https://lists.archlinux.org/pipermail/arch-general/2016-January/040479.html
In my opinion I don't feel like we are urged to have a separate list as most of the time the topics blur the line and splitting it does not provide much benefit.
Distributions tend to have own security lists so that people can receive security related stuff, only. To me there is simply too much irrelevant traffic with regards to security related topics on the arch-general list. Getting posts about imminent and potential security risks from many different sides is f.i. something I still estimate about the Debian security list very much. Besides the fact that many people from the security list previously also open for discussion will not participate in a discussion here I wanna say that I would still estimate an own list for security discussion if not achieving the current security list to be opened up for posts from various sides again. If you do not want any discussion there simply rename this list from "Discussion about security issues in Arch" into "Security Announcements for Arch". Then it will be clear to everyone that this list is not for posing security related questions or just having a discussion. Am 2016-01-28 um 17:29 schrieb Levente Polyak:
On 01/28/2016 04:29 PM, Elmar Stellnberger wrote:
P.S. Slightly off-topic: my sincerest gratitude to everyone behind the security announcements! You're doing a great job, and this is not just empty words.
Thank you very much, that is appreciated and makes us happy... however to be pedantic: Most of the work needs to be done before any announcements, that is just the (smallest) final step:)
No doubt, the Arch as well as other indipendent security teams are currently doing a great job! It needs to be said twice. Nonetheless there are two things that should be mentioned: First of all if there is something that I keep estimating most about the many Open Source communities then it is people always being open for contribution, input and discussion from various sides. Secondly we can not suggest to people that they are in a safe place just because they are using up to date OSS software by the time. Many serious and dire security vulnerabilities (leading f.i. to arbitrary code execution or privilege escalation) have recently been closed not just in the Chrome and Firefox browser but there may very likely be further issues; i.e. keep your work going, I just wanna see a more secure OSS environment for the future! Elmar
participants (5)
-
Drew DeVault
-
Elmar Stellnberger
-
Gustavo De Nardin (spuk)
-
Levente Polyak
-
Mauro Santos