[arch-security] Subscription to OSS-security linux-distros
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To all, Is anyone subscribed to the Linux-distros mailing list of OSS-security? From, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlOQnGMACgkQZ/Z80n6+J/alAwD/V2XnytW/x8gOcltGQ8T39Jmb Cb6H4l3Ej6n8U3zWI/sA/2uekN8yAEvghpAoe0SW39fWz3H+Cy0GUKZAVe1J7mKH =fFN9 -----END PGP SIGNATURE-----
Hi,
Is anyone subscribed to the Linux-distros mailing list of OSS-security?
I remember that Allan McRae requested membership about one year ago, and that it was granted [1]. I don't know if it's still relevant, though. [1] http://marc.info/?l=oss-security&m=136658482908250&w=2
To All, There are several linux-distro subscription requests on the oss-security mailing list, and some bugs are disclosed first on that mailing list. I just want to be sure that Arch Linux is getting this expedited notification of bugs. Are you still on it Allan? Regards, Mark On Thu, Jun 5, 2014 at 3:01 PM, Remi Gacogne <rgacogne-arch@coredump.fr> wrote:
Hi,
Is anyone subscribed to the Linux-distros mailing list of OSS-security?
I remember that Allan McRae requested membership about one year ago, and that it was granted [1]. I don't know if it's still relevant, though.
On 06/06/14 05:14, Mark Lee wrote:
To All,
There are several linux-distro subscription requests on the oss-security mailing list, and some bugs are disclosed first on that mailing list. I just want to be sure that Arch Linux is getting this expedited notification of bugs. Are you still on it Allan?
Yes - I pass on the worst (or at least let people know the public release dates if not the details). A
On 05/06/14 05:36 PM, Allan McRae wrote:
On 06/06/14 05:14, Mark Lee wrote:
To All,
There are several linux-distro subscription requests on the oss-security mailing list, and some bugs are disclosed first on that mailing list. I just want to be sure that Arch Linux is getting this expedited notification of bugs. Are you still on it Allan?
Yes - I pass on the worst (or at least let people know the public release dates if not the details).
A
There's not much we really can do to prepare since we're unlikely to have anything to backport. The work to backport to the stable release will already be done for anything important enough to go through an embargo. A restriction on disclosure for 7 days just means we'll get the fix 7 days later. The important issue here is that there needs to be enough interest in security by developers and trusted users to prioritize these package upgrades even if it's not a package they maintain, because the maintainer might not be around.
To All, There is an Arch security team, but they don't necessarily have developer access. The strategy is to current report to the arch-security mailing list and file a bug report. I'd just like to know if security issues that are reported are already fixed (since there is a delay for non-distro subscribing lists). Could developers file any security changes they make in the arch-security mailing list as well then? Regards, Mark On Thu, Jun 5, 2014 at 7:13 PM, Daniel Micay <danielmicay@gmail.com> wrote:
On 05/06/14 05:36 PM, Allan McRae wrote:
On 06/06/14 05:14, Mark Lee wrote:
To All,
There are several linux-distro subscription requests on the oss-security mailing list, and some bugs are disclosed first on that mailing list. I just want to be sure that Arch Linux is getting this expedited notification of bugs. Are you still on it Allan?
Yes - I pass on the worst (or at least let people know the public release dates if not the details).
A
There's not much we really can do to prepare since we're unlikely to have anything to backport. The work to backport to the stable release will already be done for anything important enough to go through an embargo. A restriction on disclosure for 7 days just means we'll get the fix 7 days later.
The important issue here is that there needs to be enough interest in security by developers and trusted users to prioritize these package upgrades even if it's not a package they maintain, because the maintainer might not be around.
On 05/06/14 11:23 PM, Mark Lee wrote:
To All,
There is an Arch security team, but they don't necessarily have developer access. The strategy is to current report to the arch-security mailing list and file a bug report. I'd just like to know if security issues that are reported are already fixed (since there is a delay for non-distro subscribing lists). Could developers file any security changes they make in the arch-security mailing list as well then?
Regards, Mark
The delay can't be used to fix the packages early. It's only for preparing an upgrade to push when the embargo expires, and in most cases the packager is going to fix it by upgrading rather than doing a backport.
participants (4)
-
Allan McRae
-
Daniel Micay
-
Mark Lee
-
Remi Gacogne