[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Containers-optimized OS (COS) membership in the linux-distros list



On Mon, Sep 20, 2021 at 04:04:13PM -0700, Oleksandr Tymoshenko wrote:
> Solar Designer (solar AT openwall.com) wrote:
> > You posted this from @google.com, which probably means many subscribers
> > didn't receive the message because of that domain's strict DMARC policy.
> > So I fully quote your message below for others to possibly comment.
> > 
> > BTW, you will similarly need to be posting from another domain (e.g.,
> > gmail.com) to the linux-distros list.
>  
> Sorry, I wasn't aware about the problem with @google.com. Replying
> from the email address I use for my OSS communications (supposedly
> has DKIM and SPF configured). If this one is OK, I'll use it instead.

Looks OK to me.  I think @chromium.org would also work.

> I think we can help with the following tasks:
> 
> Help ensure that each message posted to oss-security contains the most
> essential information (e.g., vulnerability detail and/or exploit)
> directly in the message itself (and in plain text) rather than only by
> reference to an external resource, and add the missing information
> (e.g., in your own words, by quoting with proper attribution, and/or
> by creating and attaching a properly attributed text/plain export of a
> previously referenced web page) and remind the original sender of this
> requirement (for further occasions) in a ???reply??? posting when
> necessary

We've recently listed Oracle Solaris as primary for this one, so COS can
be the backup.

> Determine if the reported issues are Linux-specific, and if so help
> ensure that (further) private discussion goes on the linux-distros
> sub-list only (thus, not spamming and unnecessarily disclosing to the
> non-Linux distros) 
> 
> Promptly review new issue reports for meeting the list's requirements
> and confirm receipt of the report and, when necessary, inform the
> reporter of any issues with their report (e.g., obviously not actionable
> by the distros) and request and/or propose any required yet missing
> information (most notably, a tentative public disclosure date/time) 

Both of these already have a primary and a backup, and I see no
immediate need to reassign them.  We can note your willingness to help
with them in case they do need to be reassigned later, or/and please
feel free to volunteer for a task that isn't currently fully taken.

I have no objections to you being merely a backup for "Help ensure that
each message posted to oss-security contains the most essential
information", though.

> > > We'll provide relevant GPG keys separately if our membership is accepted.

I think we've reached this point - please e-mail me off-list with what
address(es) and with what key(s) to subscribe.

Thanks,

Alexander