X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail.toastin.space (mail.toastin.space [207.246.93.162]) by lists.alpinelinux.org (Postfix) with ESMTP id AD29DF81625 for ; Sat, 2 Mar 2019 02:19:03 +0000 (UTC) Received: from mail.toastin.space (localhost [127.0.0.1]) by mail.toastin.space (OpenSMTPD) with ESMTP id 90b4dd4c; Fri, 1 Mar 2019 21:19:02 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=toastin.space; h=subject :to:references:cc:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=ml; bh=i2tDVk/H1hHmtB vcfWGsibr6v9E=; b=ENmEfE2mGHj9E99Y39FjwBXLpFaw3o17cvYXbjA/qXTstJ ISUSq5RORBaIHOfRNrpEB+WO3oR78ArpdTkR7PLkiUCgKMTCinvqAWakihPXKsz7 7S0w7eJGQrgjR1eX0Ij0O3UDC+kItS9suy6RQMzX3JVO5d+QhRIy1wLFB0A3/mUj 5JReHhx2joR2h6salFESk/ZDnQ3r343S2DkQdfvN35diX1G4DRDfLm4mM+AzUT9n 9HSBNQzx58ADWRQW4tKEPPSvR7RV7BUfCXAxyhcKoV6lFQjtxHnGRwFWIGG4/RSN TJUtw4ughtiVsEPbeGt4Eb1u33sZXUy7FehpLKHw== DomainKey-Signature: a=rsa-sha1; c=nofws; d=toastin.space; h=subject:to :references:cc:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=ml; b=CGGYbwi5 uCpU8lb/1Q92lcTdr38ipcfjMZwh1JUvlANo3i6QzI+pyK1Dd1XFsGaKMkXb8sHu NMczrqGPceRCHLf8FqZfpO37RaK1TgZK2doS4tLslj/AOFHuzu86Uvyc78ZG/Lay ntX+reE8OpVOD8JsZ0bxZXo7L6H7sZgdoOFgzUH2X8ocG35QqboevrazRJx2afZ/ 0RdnmdO4PshifyVFItHORlW5dxE2ixccGrHeR4Yh0d4fFHcE8MutBUa4nE/Cce76 zjfDMM4brdBytnorK1xcIPuXN0FdQpZZNv13DreOPyB77E6YqNJ9uhq6hL6MLbi8 beQjJVX0ugi14g== Received: from [192.168.0.135] (173-246-15-165.qc.cable.ebox.net [173.246.15.165]) by mail.toastin.space (OpenSMTPD) with ESMTPSA id 5827164d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Fri, 1 Mar 2019 21:19:02 -0500 (EST) Subject: Re: [alpine-devel] Fw: Improving cross-distribution security To: alpine-devel@lists.alpinelinux.org References: <20190301214806.47a05e54@ncopa-desktop.copa.dup.pw> Cc: Daniel Isaksen From: Chloe Kudryavtsev Message-ID: <809b52be-9b7a-6e9b-4a57-0ea1c0118954@toastin.space> Date: Fri, 1 Mar 2019 21:19:01 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Thunderbird/66.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 3/1/2019 7:45 PM, Daniel Isaksen wrote: > This is a great initiative, and we really need to get Working Groups (WGs) / > Special Interest Groups (SIGs) formally set up. A while ago, I created a draft > document[1] describing how to create and operate them. If you strongly > disapprove of Google, email me, and I can return you a PDF copy. > > So, I'll be short: what do you, the Alpine developers, think of this proposal? > Could any of you help me with said document? I am on the (somewhat loosely > defined) 'infrastructure team', so I will be able to help out with the technical > aspect. > > My personal opinion is that we need a team of (at least semi-)dedicated people > on a Security SIG to first and foremost: > - Maintain a security advisory program as a service for Alpine users. > - Make sure we are properly tracking and patching new vulnerabilities, both > through open-source intelligence and information sharing with other > distributions. > > [1]: https://docs.google.com/document/d/1TIGk24yLdoAC-JAH7IQzCAkxzX_YocUiHVbeSt-WZsk/edit?usp=sharing I disagree with your outlined approach, for various reasons. After a discussion over on IRC, we agreed on a more general team-based management approach. Please find the resulting draft proposal here[1]. We also both agreed that something along these lines must be done, for many reasons. Kaniini has also expressed preemptive support in #alpine-devel. Hopefully, a deeper and more detailed discussion will take place (likely over IRC) within the next few days. [1]: https://p.toastin.space/F7MDfw?asciidoc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---