X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25]) by lists.alpinelinux.org (Postfix) with ESMTP id 6B963F831CB for ; Fri, 1 Mar 2019 20:48:17 +0000 (UTC) Received: from mx1.tetrasec.net (mail.local [127.0.0.1]) by mx1.tetrasec.net (Postfix) with ESMTP id A94C19E0422; Fri, 1 Mar 2019 20:48:16 +0000 (UTC) Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: alpine@tanael.org) by mx1.tetrasec.net (Postfix) with ESMTPSA id D358D9E03E2; Fri, 1 Mar 2019 20:48:15 +0000 (UTC) Date: Fri, 1 Mar 2019 21:48:06 +0100 From: Natanael Copa To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] Fw: Improving cross-distribution security Message-ID: <20190301214806.47a05e54@ncopa-desktop.copa.dup.pw> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi, I got this email from Morten who I met at the reproducible builds summit lat December. I think this is a very nice initiative and I think Alpine should try participate. Begin forwarded message: Date: Thu, 21 Feb 2019 23:42:02 +0100 From: Morten Linderud To: anthraxx@archlinux.org Cc: santiago@archlinux.org, rgacogne@archlinux.org, jelle@archlinux.org Subject: Improving cross-distribution security Hi, I'm Morten from the Arch Linux security team. There are a lot of community linux distributions with adhoc security teams that work on an best effort basis. A lot of time is spent on the same tasks. For example tracking down if a patch has been backported to a linux-stable release, and which commit fixes which specific CVE and so on. The main goal of this effort is to alleviate the workload of vulnerability tracking by means of information sharing as there's plenty of overlap on each of the distros' efforts. We strongly believe better collaboration between distributions can help all users' security. While all distributions hold different priorities for their development, timely vulnerability tracking and remediation of upstream projects is one that is a clear win for all of them. Alpine, Red Hat, NixOS and SUSE have replied positively on this idea and we now reaching out to other distributions that may wish to participate. #### Goals: - Improve overall distribution security and collaboration - Share knowledge in regards to issues, mitigations and patches - Help younger distributions establish security teams #### Non-goals: - The project has no intention of replacing the open-wall distros/oss-security list. - The project has no intention of replacing distro security teams, but rather enrich them We have created the IRC channel ##distro-security on freenode that will function as a cross-distribution channel to discuss security issues. The goal of this channel is not to replace team channels, but work as a high signal-to-noise place where people can ask for information, patches and advisories. The channel will also work for further discussions how to improve collaboration between distribution teams. #### Projects contacted on BCC: - SUSE - Alpine Linux - Guix - NixOS - Manjaro - Gentoo - Void Linux - Debian - Ubuntu - QubesOS - Red Hat - Clear Linux - Slackware - Mageia This is meant to be an open project. If there are any distributions missing from the above list, please don't hesitate forwarding this email or replying with contact information. We are excited to hear back from distributions about thoughts, concerns or suggestions on this project. Cheers, Arch Linux Security Team --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---