This is a great initiative, and we really need to get Working Groups (WGs) /
Special Interest Groups (SIGs) formally set up. A while ago, I created a draft
document describing how to create and operate them. If you strongly
disapprove of Google, email me, and I can return you a PDF copy.
So, I'll be short: what do you, the Alpine developers, think of this proposal?
Could any of you help me with said document? I am on the (somewhat loosely
defined) 'infrastructure team', so I will be able to help out with the technical
My personal opinion is that we need a team of (at least semi-)dedicated people
on a Security SIG to first and foremost:
- Maintain a security advisory program as a service for Alpine users.
- Make sure we are properly tracking and patching new vulnerabilities, both
through open-source intelligence and information sharing with other
Sincerely / Med vennlig hilsen,
Daniel Isaksen <d_at_duniel.no> (https://duniel.no
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 1, 2019 9:48 PM, Natanael Copa <ncopa_at_alpinelinux.org> wrote:
> I got this email from Morten who I met at the reproducible builds
> summit lat December. I think this is a very nice initiative and I think
> Alpine should try participate.
> Begin forwarded message:
> Date: Thu, 21 Feb 2019 23:42:02 +0100
> From: Morten Linderud foxboron_at_archlinux.org
> To: anthraxx_at_archlinux.org
> Cc: santiago_at_archlinux.org, rgacogne_at_archlinux.org, jelle_at_archlinux.org
> Subject: Improving cross-distribution security
> Hi, I'm Morten from the Arch Linux security team.
> There are a lot of community linux distributions with adhoc security teams that
> work on an best effort basis. A lot of time is spent on the same tasks. For
> example tracking down if a patch has been backported to a linux-stable release,
> and which commit fixes which specific CVE and so on. The main goal of this
> effort is to alleviate the workload of vulnerability tracking by means of
> information sharing as there's plenty of overlap on each of the distros'
> We strongly believe better collaboration between distributions can help all
> users' security. While all distributions hold different priorities for their
> development, timely vulnerability tracking and remediation of upstream projects
> is one that is a clear win for all of them. Alpine, Red Hat, NixOS and SUSE have
> replied positively on this idea and we now reaching out to other distributions
> that may wish to participate.
> #### Goals:
> - Improve overall distribution security and collaboration
> - Share knowledge in regards to issues, mitigations and patches
> - Help younger distributions establish security teams
> #### Non-goals:
> - The project has no intention of replacing the open-wall distros/oss-security list.
> - The project has no intention of replacing distro security teams, but rather enrich them
> We have created the IRC channel ##distro-security on freenode that will function
> as a cross-distribution channel to discuss security issues. The goal of this
> channel is not to replace team channels, but work as a high signal-to-noise
> place where people can ask for information, patches and advisories. The channel
> will also work for further discussions how to improve collaboration between
> distribution teams.
> #### Projects contacted on BCC:
> - SUSE
> - Alpine Linux
> - Guix
> - NixOS
> - Manjaro
> - Gentoo
> - Void Linux
> - Debian
> - Ubuntu
> - QubesOS
> - Red Hat
> - Clear Linux
> - Slackware
> - Mageia
> This is meant to be an open project. If there are any distributions missing from
> the above list, please don't hesitate forwarding this email or replying with
> contact information.
> We are excited to hear back from distributions about thoughts, concerns or
> suggestions on this project.
> Arch Linux Security Team
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
Received on Sat Mar 02 2019 - 00:45:53 UTC