|| ||Marcus Meissner <meissner-l3A5Bk7waGM-AT-public.gmane.org> |
|| ||OSS Security List <oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org> |
|| ||Vendor-sec hosting and future of closed lists |
|| ||Thu, 3 Mar 2011 19:12:24 +0100|
|| ||Article, Thread
As moderator of vendor-sec and one of the sysadmins of lst.de I noticed
a break-in into the lst.de machine last week, which was likely used to
sniff email traffic of vendor-sec. This incident probably happened on Jan 20
as confirmed by timestamp, but might have existed for longer.
As the system in use at lst.de is quite old and the admin team and myself
does not really have the time anymore to keep it on a secure level, we
would like to move the list to another hosting place.
I have disabled the specific backdoor, but as I am not sure how the
break-in happened it might reappear. So I recommend not mailing embargoed
issues to vendor-sec-jcswGhMUV9g@public.gmane.org at this time.
I have asked Solar Designer if he could take over hosting, and he was agreeing,
including a full GPG crypted setup.
However we found during this brainstorming that changes in the setup
of the vendor-sec list likely are good at this point in time.
The number of subscribers is high, and probably 80-100 people get vendor-sec
emails, making leaks by members always a possbility.
Also the usefulness of v-s in general has a bit diminished, especially with
oss-sec present and more active and more involved upstream projects doing
their own management. Mark J Cox has some stats for Redhat updates showing this.
(To use the threadmill metaphor, v-s does not help us vendors as much
with the speed of the patch threadmill as it did 5 - 10 years ago.)
So I would like to open up a discussion with _all_ OSS Security folks present.
- Is a closed vendor coordination like vendor-sec still needed at this time?
Meaning: does the benefit of a closed group really outweigh the
"left out feeling" of non members and its annoyances?
- If yes, would it be an idea to confine or split into lists of focus groups?
(like Linux vendors, BSD vendors, all OSS source using vendors, etc?)
- Or of course the old option is open:
Should we proceed with the current state as-is, but throw a bit more
GPG encryption on top?
- What other options do we have or should we pursue?
At least SUSE, Redhat and Openwall are open for discussion.
Please discuss :)
Ciao, Marcus (vendor-sec moderator)
to post comments)