[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] linux-distros membership application - Microsoft
From:       John Haxby <john.haxby () oracle ! com>
Date:       2019-06-27 18:56:45
Message-ID: CE800BE0-7398-4ABA-9980-ABC97A6EB67D () oracle ! com
[Download RAW message or body]



> On 27 Jun 2019, at 18:48, Tyler Hicks <tyhicks@canonical.com> wrote:
> 
> On 2019-06-27 09:57:38, Anthony Liguori wrote:
> > On Thu, Jun 27, 2019 at 7:05 AM Solar Designer <solar@openwall.com> wrote:
> > > > > 3. Have a publicly verifiable track record, dating back at least 1
> > > > > year and continuing to present day, of fixing security issues
> > > > > (including some that had been handled on (linux-)distros, meaning that
> > > > > membership would have been relevant to you) and releasing the fixes
> > > > > within 10 days (and preferably much less than that) of the issues
> > > > > being made public (if it takes you ages to fix an issue, your users
> > > > > wouldn't substantially benefit from the additional time, often around
> > > > > 7 days and sometimes up to 14 days, that list membership could give
> > > > > you).
> > > > 
> > > > Microsoft has decades long history of addressing security issues via
> > > > MSRC (https://www.microsoft.com/en-us/msrc). While we are able to
> > > > quickly (<1-2 hours) create a build to address disclosed security
> > > > issues, we require extensive testing and validation before we make these
> > > > builds public. Being members of this mailing list would provide us the
> > > > additional time we need for extensive testing.
> > > 
> > > It'd be helpful if you could directly address this part: "including some
> > > that had been handled on (linux-)distros, meaning that membership would
> > > have been relevant to you".  Without such examples yet, we'd have to be
> > > guessing whether the membership would have been relevant to you or not.
> > 
> > I'm not aware of issues on the distros list, but Microsoft has been
> > very active in working with the broader community on Spectre/Meltdown
> > style mitigations.  I think the community would benefit overall from
> > their participation on distros.
> 
> I agree with Anthony on this point. They've been beneficial to the
> greater Linux community and I feel like their direct involvement on
> linux-distros would benefit other members.
> 
> Tyler


I know this is "me too" but I agree with both Anthony and Tyler.  I'd also endorse \
Sasha personally from my association with him in the past.

jch=


[prev in list] [next in list] [prev in thread] [next in thread]