Home page logo

oss-sec logo oss-sec mailing list archives

Re: running the distros lists
From: Josh Bressers <bressers () redhat com>
Date: Thu, 15 Mar 2012 08:33:41 -0400 (EDT)

Kurt - how about my original request for help running the list, though?
Even if you somehow don't volunteer to notify upstreams (and others),
making sure that every issue gets a CRD proposed for it ASAP will be of
help.  Can I at least count on you doing that? ;-)  And maybe someone
else will volunteer for other sub-tasks (although a per-vulnerability
rather than per-sub-task split between the several responsible list
members could work better, I think).

This task strikes me as a timesink that results in minimal value. It's in
the best interest of all list members to fix issues in a timely manner. The
historic vendor-sec never had a serious problem with CRD. They were often
outside of the current proposed 14 day span, but that's just a reality of
how things go. We all have more work to do than time, so some things are
bound to suffer.

Trying to get a couple people to do this is going to be a losing battle. We
need to think about how to best let the list police itself. It certainly
won't be 100% perfect, but I think even an 80% reasonable CRD agreement
goal is acceptable (perfect is the enemy of the good comes to mind).

I would suggest some reasonable guidelines (that are not enforced
strictly), then see how things go for a while. If it's deemed unacceptable,
a better solution can be worked on.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]