Mail archive

[alpine-devel] Fw: Improving cross-distribution security

From: Natanael Copa <>
Date: Fri, 1 Mar 2019 21:48:06 +0100


I got this email from Morten who I met at the reproducible builds
summit lat December. I think this is a very nice initiative and I think
Alpine should try participate.

Begin forwarded message:

Date: Thu, 21 Feb 2019 23:42:02 +0100
From: Morten Linderud <>
Subject: Improving cross-distribution security

Hi, I'm Morten from the Arch Linux security team.

There are a lot of community linux distributions with adhoc security teams that
work on an best effort basis. A lot of time is spent on the same tasks. For
example tracking down if a patch has been backported to a linux-stable release,
and which commit fixes which specific CVE and so on. The main goal of this
effort is to alleviate the workload of vulnerability tracking by means of
information sharing as there's plenty of overlap on each of the distros'

We strongly believe better collaboration between distributions can help all
users' security. While all distributions hold different priorities for their
development, timely vulnerability tracking and remediation of upstream projects
is one that is a clear win for all of them. Alpine, Red Hat, NixOS and SUSE have
replied positively on this idea and we now reaching out to other distributions
that may wish to participate.

#### Goals:
- Improve overall distribution security and collaboration
- Share knowledge in regards to issues, mitigations and patches
- Help younger distributions establish security teams

#### Non-goals:
- The project has no intention of replacing the open-wall distros/oss-security list.
- The project has no intention of replacing distro security teams, but rather enrich them

We have created the IRC channel ##distro-security on freenode that will function
as a cross-distribution channel to discuss security issues. The goal of this
channel is not to replace team channels, but work as a high signal-to-noise
place where people can ask for information, patches and advisories. The channel
will also work for further discussions how to improve collaboration between
distribution teams.

#### Projects contacted on BCC:
- Alpine Linux
- Guix
- NixOS
- Manjaro
- Gentoo
- Void Linux
- Debian
- Ubuntu
- QubesOS
- Red Hat
- Clear Linux
- Slackware
- Mageia

This is meant to be an open project. If there are any distributions missing from
the above list, please don't hesitate forwarding this email or replying with
contact information.

We are excited to hear back from distributions about thoughts, concerns or
suggestions on this project.

Arch Linux Security Team

Received on Fri Mar 01 2019 - 21:48:06 UTC