Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Pop!_OS Membership to linux-distros list

Related Vulnerabilities: CVE-2020-13529   CVE-2021-33910  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Pop!_OS Membership to linux-distros list

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: "Jeremy Soller" &lt;jeremy () system76 com&gt;

Date: Wed, 04 Aug 2021 09:59:02 -0600

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Tue, Jul 27, 2021, at 11:59 AM, Solar Designer wrote:
Hi Jeremy,

On Tue, Jul 20, 2021 at 02:23:26PM -0600, Jeremy Soller wrote:
3. Have a publicly verifiable track record, dating back at least 1 year and
continuing to present day, of fixing security issues (including some that had
been handled on (linux-)distros, meaning that membership would have been
relevant to you) and releasing the fixes within 10 days (and preferably much
less than that) of the issues being made public (if it takes you ages to fix an
issue, your users wouldn't substantially benefit from the additional time,
often around 7 days and sometimes up to 14 days, that list membership could
give you)

Over the history of Pop!_OS, dating back to 2017, we have maintained critical
packages and applied security patches soon after they are made public. Our
membership to this list would significantly help our users stay secure by
allowing us to prepare and test security updates ahead of public disclosure.
Please see our GitHub organization for more evidence: https://github.com/pop-os

I think it'd be most convincing for us all to see specific examples of
you having "applied security patches soon after they are made public",
with dates public vs. fixed in Pop!_OS.

How many examples should I provide? The last security patch I did was for
systemd. We have patches on systemd which means we cannot use the Ubuntu
version directly, so when, for example, CVE-2020-13529 and CVE-2021-33910
patches arrived in Ubuntu 21.04 on July 20, 2021, I applied them to our own
fork of systemd for Pop!_OS 21.04 that same day:

- https://launchpad.net/ubuntu/+source/systemd/247.3-3ubuntu3.4
- https://github.com/pop-os/systemd/commit/bf008f836b8740f6634d02526d1f38c98fa6699a

Pop!_OS needs to participate in linux-distros to ensure we have patches ready
for our forks of packages that do not come straight from Ubuntu. I listed the
relevant packages in my original email, many of which we have had to do
security updates for after some embargo lifts, with very little time to prepare.

7. Be able and willing to contribute back (see above), preferably in specific
ways announced in advance (so that you're responsible for a specific area and
so that we know what to expect from which member), and demonstrate actual
contributions once you've been a member for a while

I am able and willing to contribute back.

Please choose a specific task (or several).

I suggest the statistics task:

"13. Keep track of per-report and per-issue handling and disclosure
timelines (at least times of notification of the private list and of
actual public disclosure), at regular intervals produce and share
statistics (most notably, the average embargo duration) as well as the
raw data (except on issues that are still under embargo) by posting to
oss-security - primary: Amazon, backup: Gentoo"

As you can see, it is currently assigned to Amazon and Gentoo, but as
far as I can see neither is actually handling it now, so I'd like to
formally unassign it from them and have another distro handle it.

That would be fine, but I would be curious if there is some reason they have
not been fulfilling this task.
 
9. Have someone already on the private list, or at least someone else who has
been active on oss-security for years but is not affiliated with your distro
nor your organization, vouch for at least one of the people requesting
membership on behalf of your distro (then that one vouched-for person will be
able to vouch for others on your team, in case you'd like multiple people
subscribed)

I do not know if I have contacts that are already on the linux-distros list.

It can also be "someone else who has been active on oss-security for
years but is not affiliated".  Anyone?

I believe Tyler Hicks is willing to do this.

Thanks,

Alexander

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Pop!_OS Membership to linux-distros list Jeremy Soller (Jul 20)

Re: Pop!_OS Membership to linux-distros list Solar Designer (Jul 27)

Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Jul 30)

Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Aug 04)

Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Aug 04)

Re: Pop!_OS Membership to linux-distros list Solar Designer (Aug 17)
Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Sep 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started