oss-sec mailing list archives
Re: Request for linux-distros list membership
From: Solar Designer <solar () openwall com>
Date: Thu, 10 Apr 2014 10:25:54 +0400
On Wed, Apr 09, 2014 at 11:57:33PM -0600, Kurt Seifried wrote:
So first off I'm inclined to have Amazon on the distros list (same reasons as Oracle basically). My only concern is are you the correct person, I have no clue who is on the Amazon security team for their Linux distribution, I've never seen you post anything anywhere. Your search - site:aws.amazon.com Anthony Liguori - did not match any documents. Your search - site:aws.amazon.com aliguori () amazon com - did not match any documents. Can we somehow get confirmation from Amazon that this is the right person to have on distros? Thanks.
Yes, we need this sort of confirmation. My other concerns are: I think Amazon has never participated in discussions on oss-security. Searching: site:openwall.com "amazon.com" finds only Anthony's request for distros list membership and some irrelevant pages outside of the oss-security archive. It doesn't find any oss-security postings from any Amazon person (although checking the subscriber list I see that some were subscribed, at various times). As I said in: http://www.openwall.com/lists/oss-security/2014/01/22/1 "Asking to join linux-distros before you've been on oss-security for a while (and preferably, having contributed to the discussions in here) is putting the cart before the horse." The distros and linux-distros lists exist as an addition to oss-security. It is pointless for a distro to be on distros/linux-distros while not also being on oss-security. Granted, Anthony has just joined oss-security (welcome!), yet the sudden interest in advance notification while apparently not caring about timely notification (on just-made-public issues) just a week ago is suspicious. Where's the info on Amazon Linux AMI security updates? How timely were they, historically? (In other words, does a few days of advance notice really make a difference?) How are users being notified of them? How are users supposed to install them? I notice that Amazon was added to http://oss-security.openwall.org/wiki/vendors in 2012. That's good, indicating some past interest in security notifications. https://aws.amazon.com/amazon-linux-ami/security-bulletins/ lists security bulletins, including already on Heartbleed. This addresses some of my questions above, yet I'd appreciate direct answers from Anthony as well. We were not convinced about Qlustar being on linux-distros being worth the risk, so we never satisfied Roland's request. If we're to satisfy Anthony's request and add Amazon to linux-distros, we need to clearly show how it meets a higher threshold. Thanks, Alexander
Current thread:
- Request for linux-distros list membership Anthony Liguori (Apr 09)
- Re: Request for linux-distros list membership Kurt Seifried (Apr 09)
- Re: Request for linux-distros list membership Anthony Liguori (Apr 09)
- Re: Request for linux-distros list membership Anthony Liguori (Apr 09)
- Re: Request for linux-distros list membership Kurt Seifried (Apr 09)
- Re: Request for linux-distros list membership Solar Designer (Apr 09)
- Re: Request for linux-distros list membership Anthony Liguori (Apr 10)
- Re: Request for linux-distros list membership Max Spevack (Apr 10)
- Re: Request for linux-distros list membership Tyler Hicks (Apr 10)
- Re: Request for linux-distros list membership Seth Arnold (Apr 10)
- Re: Request for linux-distros list membership Anthony Liguori (Apr 18)
- Re: Request for linux-distros list membership rf (Apr 18)
- Re: Request for linux-distros list membership Kurt Seifried (Apr 18)
- Re: Request for linux-distros list membership rf (Apr 19)
- Re: Request for linux-distros list membership Solar Designer (Apr 24)
- Re: Request for linux-distros list membership Solar Designer (Apr 24)
- Re: Request for linux-distros list membership Kurt Seifried (Apr 09)