On Sat, 7 Jun 2014 14:19:33 +0400 Solar Designer <so...@openwall.com> wrote:
> On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote: > > On Sat, 7 Jun 2014 07:04:47 +0400 > > Solar Designer <so...@openwall.com> wrote: > > > > > Being on the distros list is not mandatory to receive advance > > > notification of security issues. The list is just a tool. People > > > reporting security issues to the distros list are encouraged to > > > also "notify upstream projects/developers of the affected > > > software, other affected distro vendors, and/or affected Open > > > Source projects". > > > > You and others may want to know that ??? since yesterday ??? the > > OpenSSL wiki says otherwise. Quoting: > > > > "If you would like advanced notice of vulnerabilities before they > > are released to the general public, then please join > > [http://oss-security.openwall.org/wiki/mailing-lists/distros > > Operating system distribution security contact lists] at OpenWall's > > OSS Security" > > > > http://wiki.openssl.org/index.php?title=Security_Advisories&diff=1700&oldid=1697 > > Thanks for letting me know. I wasn't aware of this. I don't know > whether this wiki edit is authoritative for the OpenSSL project, but > if it is it means that there's greater assurance those on distros > list will continue to receive advance notification, and indeed it's > simpler for the OpenSSL project to be able to notify more distro > vendors at once. > > I don't see it as contradictory to what I wrote (quoted above): it > doesn't say that those who haven't joined will definitely not be > notified. I guess OpenSSL will maintain an additional list of who to > notify, besides the distros list. As I said before, I can't speak > for the OpenSSL project, though - so these are just guesses. > > My personal opinion is that if OpenBSD doesn't join the distros list, > yet wants LibreSSL to be notified of OpenSSL security issues, OpenSSL > should be notifying LibreSSL directly. I think it'd be helpful if > LibreSSL nominates specific contact persons for that, along with PGP > keys to use, and informs the OpenSSL project of that. (Use of PGP was > mandatory in the recent advance notification offered to distros list.) > Once that has been done, you'd have (more) reason to complain if > you're not notified next time (but I hope you will be). > > Alexander > I am a mere user who happened to spot an inconsistency and wanted to inform all parties. I will not comment on your guesses and opinions with information I do not have. I'll just state that I find your interpretation of the quote from the OpenSSL wiki rather optimistic, and give you the additional hint that a public statement from Mark Cox on Google+ goes against it (check the "timeline" post). I humbly think it was (and is) not the right time for guesses and I must confess my surprise at your response. I would have thought that, with the new responsibility given to the "distro" list, you would want to check with the OpenSSL people first.