Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list)

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 9/25/23 12:23, Solar Designer wrote:
> Administrative tasks mostly unrelated to (linux-)distros lists (but
> relevant to the wider community)
>
> 1. Help ensure that each message posted to oss-security contains the
> most essential information (e.g., vulnerability detail and/or exploit)
> directly in the message itself (and in plain text) rather than only by
> reference to an external resource, and add the missing information
> (e.g., in your own words, by quoting with proper attribution, and/or by
> creating and attaching a properly attributed text/plain export of a
> previously referenced web page) and remind the original sender of this
> requirement (for further occasions) in a "reply" posting when necessary
> - primary: Oracle Solaris, backup: Container-Optimized OS
>
> 2. Develop tools to help with the above (crawl URLs in messages and
> produce draft follow-ups for manual editing+posting)
>
> 3. Monitor for Open Source security issues/topics published elsewhere,
> identify which of these would fit, and bring them to oss-security
>
> 4. Develop tools to help with the above (automatically monitor Open
> Source projects' and other relevant third-party mailing lists, websites,
> social media, source code repositories, releases for likely Open Source
> security issues/topics)
>
> 5. Directly encourage upstreams, researchers, umbrella organizations,
> packagers, distros, etc. to report to the lists
>
> 6. Suggest and provide examples of quality improvements for such reports
> (beyond them containing the most essential information)
>
> 7. Set up and maintain more reliable oss-security Twitter/Mastodon
> feed(s) (the existing Twitter feed occasionally misses messages)
>
> 8. Set up and maintain new curated "best of oss-security"
> Twitter/Mastodon feed(s)
>
> Out of these, items 1 and 3 existed before, and I see Alan Coopersmith
> from Oracle Solaris help with item 3 (thank you, Alan!), e.g.:
>
> https://www.openwall.com/lists/oss-security/2023/07/27/1
> https://www.openwall.com/lists/oss-security/2023/06/20/6
> https://www.openwall.com/lists/oss-security/2023/04/12/4
>
> but somehow not with item 1 - maybe it's some confusion, which we should
> correct?  I don't recall Container-Optimized OS actually doing anything
> on item 1, where they're backup.  Please correct me if I'm wrong (just
> didn't notice/recall something).  Maybe we should free item 1 up for new
> volunteers now.

Apologies, I may have misremembered exactly what I supposed to be doing at some
point, and in hindsight, much of what I have done was closer to #6 than #1:

https://www.openwall.com/lists/oss-security/2022/01/25/15
https://www.openwall.com/lists/oss-security/2022/10/12/2
https://www.openwall.com/lists/oss-security/2023/01/31/7

but I at least did some of #1 if you look far enough back:

https://www.openwall.com/lists/oss-security/2022/08/09/1

I've also tried to set a good example in the messages I post on behalf of X.Org.

I'd be happy to pass on #1 to someone else and continue doing #3.  I don't have
the bandwidth to write tools to automate it though (#4) - I mostly monitor
chatter on twitter & mastodon, watch the newly published CVE list, and monitor
updates to https://salsa.debian.org/security-tracker-team/security-tracker.git.


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris