[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] linux-distros membership application - Microsoft
From:       Tyler Hicks <tyhicks () canonical ! com>
Date:       2019-06-27 17:48:58
Message-ID: 20190627174858.GD25142 () elm
[Download RAW message or body]

On 2019-06-27 09:57:38, Anthony Liguori wrote:
> On Thu, Jun 27, 2019 at 7:05 AM Solar Designer <solar@openwall.com> wrote:
> > > >3. Have a publicly verifiable track record, dating back at least 1
> > > >year and continuing to present day, of fixing security issues
> > > >(including some that had been handled on (linux-)distros, meaning that
> > > >membership would have been relevant to you) and releasing the fixes
> > > >within 10 days (and preferably much less than that) of the issues
> > > >being made public (if it takes you ages to fix an issue, your users
> > > >wouldn't substantially benefit from the additional time, often around
> > > >7 days and sometimes up to 14 days, that list membership could give
> > > >you).
> > >
> > > Microsoft has decades long history of addressing security issues via
> > > MSRC (https://www.microsoft.com/en-us/msrc). While we are able to
> > > quickly (<1-2 hours) create a build to address disclosed security
> > > issues, we require extensive testing and validation before we make these
> > > builds public. Being members of this mailing list would provide us the
> > > additional time we need for extensive testing.
> >
> > It'd be helpful if you could directly address this part: "including some
> > that had been handled on (linux-)distros, meaning that membership would
> > have been relevant to you".  Without such examples yet, we'd have to be
> > guessing whether the membership would have been relevant to you or not.
> 
> I'm not aware of issues on the distros list, but Microsoft has been
> very active in working with the broader community on Spectre/Meltdown
> style mitigations.  I think the community would benefit overall from
> their participation on distros.

I agree with Anthony on this point. They've been beneficial to the
greater Linux community and I feel like their direct involvement on
linux-distros would benefit other members.

Tyler
[prev in list] [next in list] [prev in thread] [next in thread]