[illumos-Developer] security issues
Garrett D'Amore
garrett at damore.org
Wed Dec 8 08:08:38 PST 2010
On Wed, 2010-12-08 at 07:50 -0800, Alan Coopersmith wrote:
> Jerry Jelinek wrote:
> > Back when Sun was doing OpenSolaris they were
> > plugged into the various agencies, such as CERT,
> > which issue advance notification when a security
> > hole has been found. Sun could then quickly address
> > the bug and issue a patch.
>
> CERT hasn't been that relevant for a while - I believe the primary
> source of cross-vendor coordination now is vendor-sec:
>
> http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec
> http://en.wikipedia.org/wiki/Vendor-sec
>
> Certainly that's where most of the security alert info that's passed
> on to me from the security team for fixes we need in Solaris all seems
> to come from, and as one of the people in the upstream security team at
> X.Org, that's where we pass it on to for pre-public distribution to the
> vendors & distro builders who don't have people on our team.
>
I think we need to have someone who "owns" the responsibility for
coordinating these efforts for Linux. I also encourage each of the
distributions (OpenIndiana, SchilliX, etc.) to do so on their own
behalf.
If you're reading this and think you're a natural fit for the above
(deep coding expertise, tenacity, and diligent follow-through all the
way to integration are all key elements here), please contact me
offline.
- Garrett
More information about the Developer
mailing list