On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote: > On Sat, 7 Jun 2014 07:04:47 +0400 > Solar Designer <so...@openwall.com> wrote: > > > Being on the distros list is not mandatory to receive advance > > notification of security issues. The list is just a tool. People > > reporting security issues to the distros list are encouraged to also > > "notify upstream projects/developers of the affected software, other > > affected distro vendors, and/or affected Open Source projects". > > You and others may want to know that ??? since yesterday ??? the OpenSSL > wiki says otherwise. Quoting: > > "If you would like advanced notice of vulnerabilities before they are > released to the general public, then please join > [http://oss-security.openwall.org/wiki/mailing-lists/distros Operating > system distribution security contact lists] at OpenWall's OSS Security" > > http://wiki.openssl.org/index.php?title=Security_Advisories&diff=1700&oldid=1697
Thanks for letting me know. I wasn't aware of this. I don't know whether this wiki edit is authoritative for the OpenSSL project, but if it is it means that there's greater assurance those on distros list will continue to receive advance notification, and indeed it's simpler for the OpenSSL project to be able to notify more distro vendors at once. I don't see it as contradictory to what I wrote (quoted above): it doesn't say that those who haven't joined will definitely not be notified. I guess OpenSSL will maintain an additional list of who to notify, besides the distros list. As I said before, I can't speak for the OpenSSL project, though - so these are just guesses. My personal opinion is that if OpenBSD doesn't join the distros list, yet wants LibreSSL to be notified of OpenSSL security issues, OpenSSL should be notifying LibreSSL directly. I think it'd be helpful if LibreSSL nominates specific contact persons for that, along with PGP keys to use, and informs the OpenSSL project of that. (Use of PGP was mandatory in the recent advance notification offered to distros list.) Once that has been done, you'd have (more) reason to complain if you're not notified next time (but I hope you will be). Alexander
