l...@gnu.org (Ludovic Courtès) writes:
> Leo Famulari <l...@famulari.name> skribis:
>
>> I've seen some members of Guix express doubts about the utility of
>> private discussion forums like linux-distros, and I'm sympathetic.
>>
>> In fact, even without early notification, we are usually shipping
>> security updates for embargoed issues within 24 hours of public
>> disclosure, and usually within a few hours. And for non-embargoed
>> issues, we are shipping fixes earlier than the major distros very often.
>> I read the "security update round-ups" on LWN, and typically they are
>> full of bugs we already fixed. So, perhaps it wouldn't make a big
>> difference in most cases.
>>
>> But, the "Stack Clash" issues took us by surprise and we spent a few
>> days writing and testing our fixes. We are committed to supporting
>> 32-bit platforms where these bugs are apparently easy to exploit.
>> Without access to the exploits or detailed discussion, it was very
>> difficult to know if our fixes actually worked. So, we could have
>> responded more quickly and effectively with early notice.
>>
>> What do people think? Is anyone else interested in applying to join this
>> mailing list? Is anyone else willing to stick to the rules and to
>> participate?
>
> Like you say, you (and Mark and others) have been doing excellent work
> already without being on that list, but I agree that the early notice
> could help in some cases. So overall I think being on linux-distros is
> a good idea, and it seems like we meet the criteria.
>
> The real question is about our commitment to contribute back.
> Presumably only one or two of us would be on that list, so they would
> largely have that responsibility individually, even if the rest of us
> could of course help out as far as the embargo etc. permits.
>
> Long story short, I would be super happy if you or Mark were on that
> list.
>
> How do you feel about it?
It might be that joining linux-distros is the right thing to do, but I
don't have the spare capacity to contribute back at this time. Also, I
have mixed feelings about promising to keep security flaws a secret for
however long I'm asked to do so (which apparently exceeded the time
specified in the mailing list rules for Stack Clash). I'm not yet
prepared to make such a promise.
Mark
