[illumos-Developer] security issues

Garrett D'Amore garrett at damore.org
Wed Dec 8 08:08:38 PST 2010


On Wed, 2010-12-08 at 07:50 -0800, Alan Coopersmith wrote:
> Jerry Jelinek wrote:
> > Back when Sun was doing OpenSolaris they were
> > plugged into the various agencies, such as CERT,
> > which issue advance notification when a security
> > hole has been found.  Sun could then quickly address 
> > the bug and issue a patch.
> 
> CERT hasn't been that relevant for a while - I believe the primary
> source of cross-vendor coordination now is vendor-sec:
> 
> http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec
> http://en.wikipedia.org/wiki/Vendor-sec
> 
> Certainly that's where most of the security alert info that's passed
> on to me from the security team for fixes we need in Solaris all seems
> to come from, and as one of the people in the upstream security team at
> X.Org, that's where we pass it on to for pre-public distribution to the
> vendors & distro builders who don't have people on our team.
> 

I think we need to have someone who "owns" the responsibility for
coordinating these efforts for Linux.  I also encourage each of the
distributions (OpenIndiana, SchilliX, etc.) to do so on their own
behalf.

If you're reading this and think you're a natural fit for the above
(deep coding expertise, tenacity, and diligent follow-through all the
way to integration are all key elements here), please contact me
offline.

	- Garrett





More information about the Developer mailing list