'Re: [security-discuss] OpenSolaris distro Security vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: [security-discuss] OpenSolaris distro Security vulnerability
From:       "Brian Gupta" <brian.gupta () gmail ! com>
Date:       2007-09-06 17:49:20
Message-ID: 5b5090780709061049g26a6ad0cr6767851106962ba3 () mail ! gmail ! com
[Download RAW message or body]

I missed this... (It got filtered in one of my various configurations.)

I have to assume that the Indiana folks will know to do this, correct?

-Brian

On 5/23/07, Darren J Moffat <Darren.Moffat@sun.com> wrote:
> Brian Gupta wrote:
> > As a package maintainer, I always check the dev list, to make sure
> > there are no security packages coming out.
>
> What OpenSolaris packages do you maintain
>
> > One thing that might be useful is to have a dedicated resource within
> > security to monitor general security alert info that points out very
> > critical high threat vulnerabilities. The security community would
> > have the authority to push the maintainer (me) to push out a code fix
> > faster than I might otherwise have done so.
>
> > I'm not sure how the governing logistics would work, but is the idea
> > sound, or redundant?
>
> We do need to do something here but I think the coordination needs to be
> with the distributions and the consolidations (ones like ON, X, JDS etc)
> hosted on opensolaris.org.
>
> For Solaris and Solaris Express we have a process internal to Sun.  That
> process won't migrate externally as is but we know we need to do
> something as a community.  I say that both as a founding leader of this
> OpenSolaris security community and as a member of the internal to Sun
> virtual team that does the security coordination, it is both a tools and
> process issue why what we do today wouldn't work for OpenSolaris.
>
> Some of how we do this coordination will IMO need input from the
> OpenSolaris OGB because we don't want to push the info out to everyone
> via the security community when responsible/managed disclosure for
> vulnerabilities in in play.  We need to have good control and trust in
> these cases of who gets information.  How does a distro do this, when is
> a distro sufficiently established that it can participate (consider that
> in theory one could setup a distro purely to get early notification if
> this isn't managed well).
>
> Thanks for kick starting the discussion, I've changed the title to
> reflect the topic.
>
> --
> Darren J Moffat
>


-- 
- Brian Gupta

http://opensolaris.org/os/project/nycosug/
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic