Mail archive
alpine-devel

Re: [alpine-devel] Fw: Improving cross-distribution security

From: Daniel Isaksen <d_at_duniel.no>
Date: Sat, 02 Mar 2019 00:45:53 +0000

This is a great initiative, and we really need to get Working Groups (WGs) /
Special Interest Groups (SIGs) formally set up. A while ago, I created a draft
document[1] describing how to create and operate them. If you strongly
disapprove of Google, email me, and I can return you a PDF copy.

So, I'll be short: what do you, the Alpine developers, think of this proposal?
Could any of you help me with said document? I am on the (somewhat loosely
defined) 'infrastructure team', so I will be able to help out with the technical
aspect.

My personal opinion is that we need a team of (at least semi-)dedicated people
on a Security SIG to first and foremost:
- Maintain a security advisory program as a service for Alpine users.
- Make sure we are properly tracking and patching new vulnerabilities, both
  through open-source intelligence and information sharing with other
  distributions.

[1]: https://docs.google.com/document/d/1TIGk24yLdoAC-JAH7IQzCAkxzX_YocUiHVbeSt-WZsk/edit?usp=sharing
-----
Sincerely / Med vennlig hilsen,
Daniel Isaksen <d_at_duniel.no> (https://duniel.no)

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 1, 2019 9:48 PM, Natanael Copa <ncopa_at_alpinelinux.org> wrote:

> Hi,
>

> I got this email from Morten who I met at the reproducible builds
> summit lat December. I think this is a very nice initiative and I think
> Alpine should try participate.
>

> Begin forwarded message:
>

> Date: Thu, 21 Feb 2019 23:42:02 +0100
> From: Morten Linderud foxboron_at_archlinux.org
> To: anthraxx_at_archlinux.org
> Cc: santiago_at_archlinux.org, rgacogne_at_archlinux.org, jelle_at_archlinux.org
> Subject: Improving cross-distribution security
>

> Hi, I'm Morten from the Arch Linux security team.
>

> There are a lot of community linux distributions with adhoc security teams that
> work on an best effort basis. A lot of time is spent on the same tasks. For
> example tracking down if a patch has been backported to a linux-stable release,
> and which commit fixes which specific CVE and so on. The main goal of this
> effort is to alleviate the workload of vulnerability tracking by means of
> information sharing as there's plenty of overlap on each of the distros'
> efforts.
>

> We strongly believe better collaboration between distributions can help all
> users' security. While all distributions hold different priorities for their
> development, timely vulnerability tracking and remediation of upstream projects
> is one that is a clear win for all of them. Alpine, Red Hat, NixOS and SUSE have
> replied positively on this idea and we now reaching out to other distributions
> that may wish to participate.
>

> #### Goals:
>

> - Improve overall distribution security and collaboration
> - Share knowledge in regards to issues, mitigations and patches
> - Help younger distributions establish security teams
>

> #### Non-goals:
>

> - The project has no intention of replacing the open-wall distros/oss-security list.
> - The project has no intention of replacing distro security teams, but rather enrich them
>

> We have created the IRC channel ##distro-security on freenode that will function
> as a cross-distribution channel to discuss security issues. The goal of this
> channel is not to replace team channels, but work as a high signal-to-noise
> place where people can ask for information, patches and advisories. The channel
> will also work for further discussions how to improve collaboration between
> distribution teams.
>

>

> #### Projects contacted on BCC:
>

> - SUSE
> - Alpine Linux
> - Guix
> - NixOS
> - Manjaro
> - Gentoo
> - Void Linux
> - Debian
> - Ubuntu
> - QubesOS
> - Red Hat
> - Clear Linux
> - Slackware
> - Mageia
>

> This is meant to be an open project. If there are any distributions missing from
> the above list, please don't hesitate forwarding this email or replying with
> contact information.
>

> We are excited to hear back from distributions about thoughts, concerns or
> suggestions on this project.
>

> Cheers,
> Arch Linux Security Team
>

>

> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
>

> ----------------------------------------------------------------------------------------------------------








---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sat Mar 02 2019 - 00:45:53 UTC