Re: NetBSD/pkgsrc membership on distros list

[Alistair Crooks <agc () pkgsrc org>]

Yeah, we're here, we are the same as previously, still trying to go
about our business with maximum effect and minimal fuss, and we're
listening.

We haven't contributed anything (much) recently, but we don't really
go in for massive "me too"s, and had kinda hoped that the "no drama"
approach would work here. It seems my assumptions were wrong. I will
attempt to do a better job at posting - sorry about that, mea culpa.

What are we doing these days? We're looking into the pre-announcement
that everyone else is looking at for NetBSD, and pkgsrc is even more
vibrant than ever, runs on a huge number of platforms, and is still
reporting CVEs in the usual way - we were told some minor Linux
distributions use the pkgsrc notification mechanism, so, for their
sakes, I'd ask that you continue to keep us in the loop, please.

With thanks (for the support you give),
Alistair

On 16 May 2017 at 08:39, Solar Designer <solar () openwall com> wrote:
> Hi,
>
> A few individuals from/for NetBSD/pkgsrc joined the non-public distros
> list a while ago.  Unfortunately, lately they appear to have become
> inactive.  Thus, I am likely to remove NetBSD/pkgsrc from the distros
> list soon unless the membership is "renewed" through demonstrated
> interest and vulnerability response by specific people from there.
>
> I notice NetBSD security team is still active in terms of issuing of
> public security advisories (latest one posted on March 24), but the way
> the situation looks to me (and I admit I could be wrong) those
> advisories are not produced by the same people who had joined distros.
> So maybe NetBSD needs to nominate their currently active security people
> for distros membership on behalf of their project.
>
> I could figure out who the active NetBSD security people are now and
> approach them, but that's mostly not how distros membership applications
> worked so far - specifically, I'd like membership to be requested by
> each distros' security team.  I don't want to be pinging them about it
> myself, as that could result in some joining just because they were
> invited/reminded like that rather than because of genuine interest.
>
> Similarly, I intentionally don't CC this posting to anyone - if someone
> (perhaps from NetBSD) is not in here, then even if they're doing
> security response for their distro they are not an ideal representative
> for their distro on the distros list.  That's because we assume that the
> distro also keeps track of whatever issues are being made public on
> oss-security (with most of those issues never having been brought up on
> the distros list, so by being only on distros the person would miss most
> issues they might need to deal with).
>
> If anyone from NetBSD who is on oss-security has anything relevant to
> say on this, please speak up.
>
> Thanks,
>
> Alexander