<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Pop!_OS Membership to linux-distros list
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Jeremy Soller" <jeremy () system76 com>
Date: Tue, 07 Sep 2021 10:37:52 -0600
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello Alexander,
I'm keeping this in mind. We may hire someone to handle this task, and I will get back to you when we do.
Thanks,
--
Jeremy Soller
System76
Principal Engineer
jeremy () system76 com
On Tue, Aug 17, 2021, at 6:31 AM, Solar Designer wrote:
Hi Jeremy,
I'm sorry about the delay. I was hoping someone else would chime in.
On Wed, Aug 04, 2021 at 09:59:02AM -0600, Jeremy Soller wrote:
On Tue, Jul 27, 2021, at 11:59 AM, Solar Designer wrote:
On Tue, Jul 20, 2021 at 02:23:26PM -0600, Jeremy Soller wrote:
Over the history of Pop!_OS, dating back to 2017, we have maintained critical
packages and applied security patches soon after they are made public. Our
membership to this list would significantly help our users stay secure by
allowing us to prepare and test security updates ahead of public disclosure.
Please see our GitHub organization for more evidence: https://github.com/pop-os
I think it'd be most convincing for us all to see specific examples of
you having "applied security patches soon after they are made public",
with dates public vs. fixed in Pop!_OS.
How many examples should I provide? The last security patch I did was for
systemd. We have patches on systemd which means we cannot use the Ubuntu
version directly, so when, for example, CVE-2020-13529 and CVE-2021-33910
patches arrived in Ubuntu 21.04 on July 20, 2021, I applied them to our own
fork of systemd for Pop!_OS 21.04 that same day:
- https://launchpad.net/ubuntu/+source/systemd/247.3-3ubuntu3.4
- https://github.com/pop-os/systemd/commit/bf008f836b8740f6634d02526d1f38c98fa6699a
Pop!_OS needs to participate in linux-distros to ensure we have patches ready
for our forks of packages that do not come straight from Ubuntu. I listed the
relevant packages in my original email, many of which we have had to do
security updates for after some embargo lifts, with very little time to prepare.
There's no specific requirement on the number of examples. The above
looks reasonable to me.
7. Be able and willing to contribute back (see above), preferably in specific
ways announced in advance (so that you're responsible for a specific area and
so that we know what to expect from which member), and demonstrate actual
contributions once you've been a member for a while
I am able and willing to contribute back.
Please choose a specific task (or several).
I suggest the statistics task:
"13. Keep track of per-report and per-issue handling and disclosure
timelines (at least times of notification of the private list and of
actual public disclosure), at regular intervals produce and share
statistics (most notably, the average embargo duration) as well as the
raw data (except on issues that are still under embargo) by posting to
oss-security - primary: Amazon, backup: Gentoo"
As you can see, it is currently assigned to Amazon and Gentoo, but as
far as I can see neither is actually handling it now, so I'd like to
formally unassign it from them and have another distro handle it.
That would be fine, but I would be curious if there is some reason they have
not been fulfilling this task.
I cannot speak for them, but the task does require some effort on every
issue, and perhaps the specific people are just not putting the effort.
As you can see, this was different in 2017-2019 when Gentoo had a person
actually working on this task.
Besides statistics per se, an important desirable side-effect of working
on this task is that you'd end up double-checking that every issue does
in fact get reported to oss-security.
9. Have someone already on the private list, or at least someone else who has
been active on oss-security for years but is not affiliated with your distro
nor your organization, vouch for at least one of the people requesting
membership on behalf of your distro (then that one vouched-for person will be
able to vouch for others on your team, in case you'd like multiple people
subscribed)
I do not know if I have contacts that are already on the linux-distros list.
It can also be "someone else who has been active on oss-security for
years but is not affiliated". Anyone?
I believe Tyler Hicks is willing to do this.
Like he says, he'd "be a lot more comfortable if someone could provide a
stronger vouch."
However, overall I think Pop!_OS and you personally (also considering
your work on Redox OS) do meet the requirements. So let's proceed with
the subscription. Please e-mail me off-list with your e-mail address
and PGP key to use. Please also confirm in this thread that we're
getting the statistics task assigned to you, and we can discuss some
specifics on what's to be done on it.
Thanks,
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Pop!_OS Membership to linux-distros list Jeremy Soller (Jul 20)
Re: Pop!_OS Membership to linux-distros list Solar Designer (Jul 27)
Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Jul 30)
Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Aug 04)
Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Aug 04)
Re: Pop!_OS Membership to linux-distros list Solar Designer (Aug 17)
Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Sep 07)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
Vulmon