[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Gentoo's "contributing back" linux-distros tasks
From:       Yury German <blueknight () gentoo ! org>
Date:       2020-10-12 18:36:55
Message-ID: 749d9302-fcd1-4dc5-15d6-27802f36b081 () gentoo ! org
[Download RAW message or body]


On 10/12/20 8:30 AM, Solar Designer wrote:
> Hi,
>
> Gentoo signed up for these "contributing back" tasks for linux-distros:=

>
> https://oss-security.openwall.org/wiki/mailing-lists/distros#contributi=
ng-back
>
> 9. Stay on top of issues to ensure progress is being made, remind other=
s
> when there's no apparent progress, as well as when the public disclosur=
e
> date for an issue is approaching and when it's finally reached (unless
> the reporter beats you to it by making their mandatory posting to
> oss-security first) - primary: Gentoo, backup: Amazon
>
> 11. Make sure the mandatory oss-security posting is made promptly and i=
s
> sufficiently detailed, and remind the reporter if not - primary: Gentoo=
,
> backup: Amazon
>
> 12. If exploit(s) were shared on the list, make sure that either they'r=
e
> included in the oss-security posting along with the issue detail or the=

> posting includes an announcement of planned later posting of the
> exploits (with the delay being within list policy), and in the latter
> case also make sure that the later posting is in fact made as planned,
> and remind the reporter if not - primary: Gentoo, backup: Amazon
>
> 13. Keep track of per-report and per-issue handling and disclosure
> timelines (at least times of notification of the private list and of
> actual public disclosure), at regular intervals produce and share
> statistics (most notably, the average embargo duration) as well as the
> raw data (except on issues that are still under embargo) by posting to
> oss-security - primary: Gentoo, backup: Amazon
>
> and we saw some contributions from Gentoo on these, most notable being
> their work on the statistics (task 13 above):
>
> https://oss-security.openwall.org/wiki/mailing-lists/distros/stats
>
> Unfortunately, the last update of these statistics ("Last modified:
> 2019/10/15 01:52 by kristianf") is also when the contributions ceased.
>
> Some others have been taking care of tasks 9, 11, 12 (in particular,
> Anthony Liguori of Amazon has been helping, but on various occasions
> also many others from other distros), but not yet of task 13.
>
> I understand that Gentoo is a community project run by volunteers, and =
I
> am not complaining.  Rather, I think we need to discuss with Gentoo in
> here and reassign to other distros whatever responsibilities Gentoo no
> longer has resources for.  We should ideally keep at least one task
> Gentoo's responsibility (and Gentoo should have specific people assigne=
d
> to that task), at least to be consistent with our current requirements
> for new distros joining (linux-)distros.
>
> To Gentoo: which of these tasks, or other "contributing back" tasks, ar=
e
> you (still) willing to handle, and who on your team would handle them?

Alexander,

As you mentioned Gentoo is a purely volunteer distribution and due to
the happenings in the world we could not devote a lot of time.

Currently I have been maintaining the statistics for the list, but there
was a time from October to January that I was off the list and do not
have the archive of the messages. I will need to work with someone to
fill out those statistics as K_F is currently not available.

I will be able to continue with Task 13, and will catch up during the
weekend.


>
> To others on linux-distros: which of the above tasks do you volunteer t=
o
> become primary for?
>
> To Amazon: do you want to remain backup for task 13, or do you not have=

> the resources to handle it?
>
> If Gentoo already has some work-in-progress on task 13 for October 2019=

> and on, yet we reassign this task to another distro, then that data and=

> instructions should probably be transferred to the other distro.
>
> Alexander

[prev in list] [next in list] [prev in thread] [next in thread]