Mail archive

Re: [alpine-devel] Fw: Improving cross-distribution security

From: Daniel Isaksen <>
Date: Sat, 02 Mar 2019 00:45:53 +0000

This is a great initiative, and we really need to get Working Groups (WGs) /
Special Interest Groups (SIGs) formally set up. A while ago, I created a draft
document[1] describing how to create and operate them. If you strongly
disapprove of Google, email me, and I can return you a PDF copy.

So, I'll be short: what do you, the Alpine developers, think of this proposal?
Could any of you help me with said document? I am on the (somewhat loosely
defined) 'infrastructure team', so I will be able to help out with the technical

My personal opinion is that we need a team of (at least semi-)dedicated people
on a Security SIG to first and foremost:
- Maintain a security advisory program as a service for Alpine users.
- Make sure we are properly tracking and patching new vulnerabilities, both
  through open-source intelligence and information sharing with other

Sincerely / Med vennlig hilsen,
Daniel Isaksen <> (

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 1, 2019 9:48 PM, Natanael Copa <> wrote:

> Hi,

> I got this email from Morten who I met at the reproducible builds
> summit lat December. I think this is a very nice initiative and I think
> Alpine should try participate.

> Begin forwarded message:

> Date: Thu, 21 Feb 2019 23:42:02 +0100
> From: Morten Linderud
> To:
> Cc:,,
> Subject: Improving cross-distribution security

> Hi, I'm Morten from the Arch Linux security team.

> There are a lot of community linux distributions with adhoc security teams that
> work on an best effort basis. A lot of time is spent on the same tasks. For
> example tracking down if a patch has been backported to a linux-stable release,
> and which commit fixes which specific CVE and so on. The main goal of this
> effort is to alleviate the workload of vulnerability tracking by means of
> information sharing as there's plenty of overlap on each of the distros'
> efforts.

> We strongly believe better collaboration between distributions can help all
> users' security. While all distributions hold different priorities for their
> development, timely vulnerability tracking and remediation of upstream projects
> is one that is a clear win for all of them. Alpine, Red Hat, NixOS and SUSE have
> replied positively on this idea and we now reaching out to other distributions
> that may wish to participate.

> #### Goals:

> - Improve overall distribution security and collaboration
> - Share knowledge in regards to issues, mitigations and patches
> - Help younger distributions establish security teams

> #### Non-goals:

> - The project has no intention of replacing the open-wall distros/oss-security list.
> - The project has no intention of replacing distro security teams, but rather enrich them

> We have created the IRC channel ##distro-security on freenode that will function
> as a cross-distribution channel to discuss security issues. The goal of this
> channel is not to replace team channels, but work as a high signal-to-noise
> place where people can ask for information, patches and advisories. The channel
> will also work for further discussions how to improve collaboration between
> distribution teams.


> #### Projects contacted on BCC:

> - SUSE
> - Alpine Linux
> - Guix
> - NixOS
> - Manjaro
> - Gentoo
> - Void Linux
> - Debian
> - Ubuntu
> - QubesOS
> - Red Hat
> - Clear Linux
> - Slackware
> - Mageia

> This is meant to be an open project. If there are any distributions missing from
> the above list, please don't hesitate forwarding this email or replying with
> contact information.

> We are excited to hear back from distributions about thoughts, concerns or
> suggestions on this project.

> Cheers,
> Arch Linux Security Team


> Unsubscribe:
> Help:

> ----------------------------------------------------------------------------------------------------------

Received on Sat Mar 02 2019 - 00:45:53 UTC