Re: Vendor-sec hosting and future of closed lists

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> As suggested by Josh Bressers oCERT would be favourable to providing a
> system that would accept user submission and allow selection of security
> contacts from our existing member database as well as other verified
> contacts.
>
> As Josh pointed out we do this already (even if manually and not with a
> web selection thing or whatever) and I am open to explore ways to create
> more cooperation.
>
> We would also be willing to host and maintain a closed vendor-sec style
> mailing list like the previous one with the only condition for member
> list to be public (not necessarily the individual contact names but at
> least the entities represented).

I've been thinking about this a bit, and here are my thoughts.

I think oCERT could be a good fit here. They already have contacts, and
such a setup would likely have a formal process of sorts for vetting
recipients of issues. My current fears are:

1) Is oCERT in a position to increase its current workload by several
   magnitudes? I suspect you're going to have to expand your team by a fair
   amount. I also imagine this will result in changes to the way oCERT
   currently exists, perhaps not though, I can't see behind the curtain.
2) Will dealing with oCERT in this manner generate extra process?
   vendor-sec was quite process free, a little doesn't hurt, but a lot can
   be bad.
3) Are we going to annoy other CERTs? Will they even care?
4) oCERT already exists, there are going to be disagreements about how to
   do things, both sides of all issues will need to be open to ideas and
   compromise.


There is also the option of recreating an old style list. This is a bit
more ad-hoc and Openwall has already offered to host such a thing (Solar
has quite a bit already in place). I do favor this a bit, as it would make
a nice compliment to oss-security. It also puts our destiny squarely in our
own hands. It is more work for the involved parties though (And a lot more
work for Openwall)

The disadvantages I recall from the old list are:

1) Membership management is a pain. Adding new people is annoying and
   nobody ever leaves.
2) Nobody is in charge, which means sometimes issues can get ignored or
   forgotten (also see #1)
3) The potential for leaks is probably a bit higher than using something
   like oCERT (downstream recipients are monitored a bit more closely I
   would hope). Perhaps a benevolent dictator type approach could help
   prevent this.


Whatever is decided should be done so by the groups most affected. Here is
a collection of the top members that have contributed to the old
vendor-sec since mid 2008 (my historic archive isn't as easy to get at, I
can crunch it if someone wishes, I don't expect it to change much though)

openwall.com
mandriva.com
gentoo.org
ubuntu.com
canonical.com
apple.com
debian.org
suse.de
redhat.com

There were a handful of other people that contributed a fair amount but
were not list members, or not part of one of the above orgs (Tavis Ormandy,
Chris Evans, Alan Cox oCERT, and Samba for example).

Once we have a vision for the future, we should try to let various groups
know who they can contact in the future. I imagine some of them still don't
know what happened to vendor-sec.

Thanks.

-- 
    JB