X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27]) by lists.alpinelinux.org (Postfix) with ESMTP id 3772DF84CD8 for ; Sat, 2 Mar 2019 00:46:00 +0000 (UTC) Date: Sat, 02 Mar 2019 00:45:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=duniel.no; s=protonmail; t=1551487557; bh=qhfoP50erWYnaJZRPCEhJwnGZKfW8qY/Lg8ED38THs4=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=JpxYPleYAMB05KliEsvBrrz5jPYaTCNHhC/BL/y1j7V4sfYW+PxQMA19J6wzxQYNv 5sQX2EKb+SC4k0rE1Um6+BId4rbXZQFO+G7U3uGNF2dM4gpUmLYoT7UDDIjnZMGCSf kBg+WPRYoRds5+XN8Tn2sA9QC4jQU/x0293heo+g= To: Natanael Copa From: Daniel Isaksen Cc: "alpine-devel@lists.alpinelinux.org" , Chloe Kudryavtsev Reply-To: Daniel Isaksen Subject: Re: [alpine-devel] Fw: Improving cross-distribution security Message-ID: In-Reply-To: <20190301214806.47a05e54@ncopa-desktop.copa.dup.pw> References: <20190301214806.47a05e54@ncopa-desktop.copa.dup.pw> Feedback-ID: M6UsohadiIq4-vYRqoWvKyHDv4Mn9fTsg5lc0N5mVVAl_YZi3-tewmHYawfeFjjEIM9MeRHncCndifkvu9Zl9Q==:Ext:ProtonMail X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha256; boundary="---------------------25f471d2ad3940267dbe6ed7076d72ad"; charset=UTF-8 X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch This is an OpenPGP/MIME signed message (RFC 4880 and 3156) -----------------------25f471d2ad3940267dbe6ed7076d72ad Content-Type: multipart/mixed;boundary=---------------------8a7488a63e8794447b9a054ad7d2063e -----------------------8a7488a63e8794447b9a054ad7d2063e Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 This is a great initiative, and we really need to get Working Groups (WGs)= / Special Interest Groups (SIGs) formally set up. A while ago, I created a d= raft document[1] describing how to create and operate them. If you strongly disapprove of Google, email me, and I can return you a PDF copy. So, I'll be short: what do you, the Alpine developers, think of this propo= sal? Could any of you help me with said document? I am on the (somewhat loosely defined) 'infrastructure team', so I will be able to help out with the tec= hnical aspect. My personal opinion is that we need a team of (at least semi-)dedicated pe= ople on a Security SIG to first and foremost: - Maintain a security advisory program as a service for Alpine users. - Make sure we are properly tracking and patching new vulnerabilities, bot= h through open-source intelligence and information sharing with other distributions. [1]: https://docs.google.com/document/d/1TIGk24yLdoAC-JAH7IQzCAkxzX_YocUiH= VbeSt-WZsk/edit?usp=3Dsharing ----- Sincerely / Med vennlig hilsen, Daniel Isaksen (https://duniel.no) =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original M= essage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Friday, March 1, 2019 9:48 PM, Natanael Copa wr= ote: > Hi, > = > I got this email from Morten who I met at the reproducible builds > summit lat December. I think this is a very nice initiative and I think > Alpine should try participate. > = > Begin forwarded message: > = > Date: Thu, 21 Feb 2019 23:42:02 +0100 > From: Morten Linderud foxboron@archlinux.org > To: anthraxx@archlinux.org > Cc: santiago@archlinux.org, rgacogne@archlinux.org, jelle@archlinux.org > Subject: Improving cross-distribution security > = > Hi, I'm Morten from the Arch Linux security team. > = > There are a lot of community linux distributions with adhoc security tea= ms that > work on an best effort basis. A lot of time is spent on the same tasks. = For > example tracking down if a patch has been backported to a linux-stable r= elease, > and which commit fixes which specific CVE and so on. The main goal of th= is > effort is to alleviate the workload of vulnerability tracking by means o= f > information sharing as there's plenty of overlap on each of the distros' > efforts. > = > We strongly believe better collaboration between distributions can help = all > users' security. While all distributions hold different priorities for t= heir > development, timely vulnerability tracking and remediation of upstream p= rojects > is one that is a clear win for all of them. Alpine, Red Hat, NixOS and S= USE have > replied positively on this idea and we now reaching out to other distrib= utions > that may wish to participate. > = > #### Goals: > = > - Improve overall distribution security and collaboration > - Share knowledge in regards to issues, mitigations and patches > - Help younger distributions establish security teams > = > #### Non-goals: > = > - The project has no intention of replacing the open-wall distros/oss-= security list. > - The project has no intention of replacing distro security teams, but= rather enrich them > = > We have created the IRC channel ##distro-security on freenode that w= ill function > as a cross-distribution channel to discuss security issues. The goal= of this > channel is not to replace team channels, but work as a high signal-t= o-noise > place where people can ask for information, patches and advisories. = The channel > will also work for further discussions how to improve collaboration = between > distribution teams. > = > = > #### Projects contacted on BCC: > = > - SUSE > - Alpine Linux > - Guix > - NixOS > - Manjaro > - Gentoo > - Void Linux > - Debian > - Ubuntu > - QubesOS > - Red Hat > - Clear Linux > - Slackware > - Mageia > = > This is meant to be an open project. If there are any distributions = missing from > the above list, please don't hesitate forwarding this email or reply= ing with > contact information. > = > We are excited to hear back from distributions about thoughts, conce= rns or > suggestions on this project. > = > Cheers, > Arch Linux Security Team > = > = > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > = > ------------------------------------------------------------------------= ---------------------------------- -----------------------8a7488a63e8794447b9a054ad7d2063e Content-Type: application/pgp-keys; filename="publickey - d@duniel.no - 0x1E863687.asc"; name="publickey - d@duniel.no - 0x1E863687.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - d@duniel.no - 0x1E863687.asc"; name="publickey - d@duniel.no - 0x1E863687.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQpWZXJzaW9uOiBPcGVuUEdQLmpz IHY0LjQuNg0KQ29tbWVudDogaHR0cHM6Ly9vcGVucGdwanMub3JnDQoNCnhzRk5CRm5UZ05RQkVB Q3NCaHpwT0RlcSthMzVzTlRRS0Y5ck1yem1lZFcwZ29vRzRnOG1RKzl2L1Nqag0KS1pIRG5IM2xz bjJsQnBZRWlQREJYeGlGNXJHMXZUaGlTZmplaklMc1dHOGhxQ2hFQndjd3preDRxKzlODQpheFBO VHhjQlh1YnhiMmNUL2VodWJpdG5ZbEREcTNtSjBiSTl6SWRFL0RLckJ4NTlYc28xOEtOYkFDSjkN CkF5UTV2d2RkaFEzcGxaWVBKY2hjdEdqRFN4VFZJaWxFQStZdjR0cHVDN1BXcm56K1pCdklBMjVV dzJUZA0KMnB0a2pqMXZ2NWFsMHI1VUx3Z3ZrbkQ1eE1JN1pEQnRwTUJqbGF0Vnk2cDMrbXA0MTVC NGZjV3RRNXYrDQpYNC9Wa2tuZWtwTGREWGJjYkI0ZVBqODUzUkptL2l6bFRXRGljMkk2Q3Vib2pB T2pIMVdtbllvNGE4WFINCmVYOHk0SVoyRk1GN05LZkJmcnJjd3c2MGwvRFVZMlYzV21IVUdWRkQ4 Ly90TjZkbmxSdlM4RlBxeXNTUQ0KYXZxK0VCNnlQWnNCN21sOXJERGpDRGFibkxqMFowZGdSMzhY cTA0eENGbktXNlJqMUdWa1hlWEkvKzJYDQpzRXk3Yi9JOFFEQVkzMHVwUWs4WjFiNjZ1NXM1eWxl QVl3alNiRkY3NHVpQS9FZXVjSlBva3lEd2JQWVgNCmRzSzdQUUJreFdqS283cG9zTHd2T2hRM0Fr WWlQTWs1Mm9iK0dYVWhPK1JzNkpIZS9qaU11ZTBqa2llNA0KMjVtY3p2aUoza2pHK1N5c0dMUjVJ TklHTW15RHVsd3JZbitGRUo0NGV1Rm1EU0kyUGwrQXFvYVR0eVRPDQpkUUpCZTZzOUFIT2JqZjN5 QVBVSWdOUjBGYTVKUy9YUFFGbXBZUUFSQVFBQnpSc2laRUJrZFc1cFpXd3UNCmJtOGlJRHhrUUdS MWJtbGxiQzV1Yno3Q3dYOEVFQUVJQUNrRkFsdjRnUlFHQ3drSENBTUNDUkJ5WEJ4Tg0KZ2Y0NWhB UVZDQW9DQXhZQ0FRSVpBUUliQXdJZUFRQUtDUkJ5WEJ4TmdmNDVoQjUrRC8wYUVuSktaUitlDQpN TmptaXZlRkl0MmhSYTd4T0U0cVZicDVPeEh6MEVldGpqditkUzhLVzVDZFY4amNUdERMby9RTEti clINCnlPMWdDYW1MdkpOYTVNRHpPRU1uWjN3TUhUREFibGdJa2ducStOV1ZSNXk4V2FBbGF5NjI4 d2dtbU4wRQ0KeUYwbEJkNW05UDFYOXNwMWxKdjFaMTRCOXI5VHBZKyttbUpwUFlYMWcrOTRvSHZz Q3h0RmdrVm56NndvDQorcUpKcjl0YlBqWGIrWDg3TDVZU0x5U05GWk5JeDZlTi8zYXpoVStFNUFi RFBpWDhTNWVLNUk1T2xSU0QNCkc5bFlVQ1phZjVkTlhGS29ZQVVrL3BFVmFrVHV1MTVpUVh0WStX THl2MU0yMmJrcmJScWV2dXh4ZWVnMw0KRlBTNkliZHZNL21meVhJWmsrNWZEeU9IMXlXSHBZSjJ1 QjJSYTZ1QW1hWkgyL1hNVUMvT1RaeTNxU2M5DQp1K0RSeFJRcVVzb2FpaVRaampaQkhqRUtXU3Q1 V0QzbSt0NnUxS2ROVzVObjRvZnplekxDZ2Z1WVdWNWsNCmtWd3JCdmI2d1VkWTNqQlN6SlNaa3Vr NHpqMFFEb2dMRUVXeFNPbDh6VzhhdFVOdlJDd29HRjNrS3JCcQ0KNXJkcnFXaVNLRENRMFBudDl2 TWZ4UXpjQWFSbmhkQmxZNUROaTBJQU52SHVQL3pTV0JOL0ZaWko4N1VnDQpzWThKY1hSc3ZuZUY0 MEFLc0VMS2p3ZG5SMml4RlQ0U2lXTTZHdHRjTXpNZHVuajdkTC84MkVBdytqMTYNCnZVZnM0M2hI QVpmMFVhVHdUcXdQWVd3cEN3YmM1MXNmM1pUbUp2cTdrWURDaytPT3JqdHczS3BqTURyaw0KSWNO VTRpaXJmZWdLRmM3QlRRUlowNERVQVJBQTBBQ2dFY0M2MzBMblVocDRLTFk0ZU1qSms1dENwYUhF DQphU1AySXpvS05pTkJrY0RyZm1Qdmd2TGNySmg2blBwU29PTjRvUGNTU1VHZDN4U21HZDFkMy8w Z3VpNXoNCkVQR21KMzdXak5wbjdLTXphT05kUGIxdzNEbDJLd21McjN2czhKYTZzMXg4SldKY0Zp STh6WjY1RzBLSg0KemVkRGRRYkN1bmhhOHIyaXVmcHUyQWdSNGFCTFFCSlFmWVFCeTF4QXhnWHJn cjRUYm5oTXQ5TTdTQ3VTDQoyeTYyYnRGdHE4VW0yNVBnQzIwUlpzeHRRMC9TREtTUU93S3JlUEZN NlBpamJFUlJlUDVUZnVSU0RpWGkNCmlMMWFCbHQvTkhxRUxWc2VVZmlkcnBiT0E1M1VUNEZ5YWg4 REFaUUpwTjkwQ293Qm9id0dTRTMrRGJweA0KdWhLVzhSMUcwOWU0T2FMV244eHJIemZaY3ZMUlls VzM4QllLMWxscjFHUG5DQUcrUndGWXQ3ZldzY0xhDQpDQ3doNnFRSEd6ZTFoMlNMYjMyTjViYnRx VE1qR0d2N25leXRvbHltQVZSVEsyRlM5VEdTeXQ5dXdFZFMNCjB4eGpQMEx6bHZVY2dHTlAxMEI0 Zndkb3Q2M1RNUVR0VlBiWlpRViswTnlkMEtMWUEzaUR0amxQc1RjeA0KbzVaWG9DOVBEVVlyS0c1 NTd2ZzFCNVptb1Y0VWREMEFKcmxCTFYxZUxYeDgyb3o3YXJwOE5aWG9vMzN3DQpGelRmQ1kwbUho akU5MnQ2SUdERkFWbjlZRDl2cjByMlBSeGs2WjBMR1orU0NNbTgzQnFMVFh0WnUrNGkNCk16WnZY UlVuSlFZWFh5dTYydkpMVTc2SkFpMWE1d2hCdjExWFNiVzNTYWZFa3hRMmFHMEFFUUVBQWNMQg0K YVFRWUFRZ0FFd1VDVy9pQkZna1FjbHdjVFlIK09ZUUNHd3dBQ2drUWNsd2NUWUgrT1lUVXpBLytP M0oxDQp2RElOUTErZmd3MkhyazJWeGxSU3RDd240Z2YwSXJ2bHM3bmVVVjhEbFpqQW5LQWIzajdI MjRveTI4SHgNCitrQVNmTHhQeGJLcnRWendReTJGOXlDYkpPdkMzVU9ySFpLNzhkUDAxQStmSkh6 L2JkM1llS1NSOSttbA0KZ1BzR3dkNk93MmJiQVRYZC9OMDVIcjVwYVRCa0pha0ZsTUYweTBhUXAy NFl1TXZvcnkvdi8rV1RCYWxuDQpaVFF5T2EzQkR3REt2YnNOREgrSTliWFRPK2NIcUVoR1Bsbk4r NGRtQWxOYVMyTmhUL1lpbzVPSGkxT0cNCmRuQXF5bXVIYk9TdGMrakhxa0dWMW1Pa3lpWHBXV0Qv WTV1aDAxL2FGbHl0SHREYlB5bkhKWDNDZzhBUA0KcmZsa2hzN3JxdVRXVWVpWFdSd1Y1bGEyQlhm UzJtQUxQY1Fyb2lmVUxBZWdrRUNTVWxBZ1J6RFdxVmhSDQpxWER0MWN6NVBPdisyYWx3OFhvT0ho WWpuMEt6NjFiMU5lWXh2NE9JNmhzczcvZ3NLZWV6eVRDNEMxcS8NCkp0VkMvcUJYU0hSSkFFTnYw N0pjeHNHRWVRMGZNQnkvUzhSREdzaGRFcU1zV3Vvd1IybzUyRWVzL2h5Mg0KTmxrdVNXMWQrSGJI cUVoU2FacXBoemhqMlM3Y1JGdW5IcWRxZTdqTGFSRTNDL2s2ZkowdmRSdGQxOWEwDQpnbE8rVWlK UlptakU5cnhReFc4SzRQYU5OWUNXbTF5c0RvWDRmRWdZODNIdytVS09KMEFVa2Y1dkxpSXkNCi9w K0ZGeCtqb0pwRTIrM2w3ekdqek14ZWxkUENJM2FuY1BnT096TCtFUGhyaUZsaVMveHlIYXAxaDZu eA0KaTFQLzAxYm9oKzgyeUxkZXA0QT0NCj1ocTVvDQotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBC TE9DSy0tLS0tDQo= -----------------------8a7488a63e8794447b9a054ad7d2063e-- -----------------------25f471d2ad3940267dbe6ed7076d72ad Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail Comment: https://protonmail.com wsFcBAEBCAAGBQJcedI5AAoJEHJcHE2B/jmEGl8P/2JSMefYCTf8Ms/HHw/c bZOo8k+yaYMXw0gdl9AUZEHb9JzeOlqJVGTCprv0Ef4m0QEMoF9WYkl8W4uR 4sIBk4ltzKD273LjKnjYJu2Yc+pOJH2udrofJ1mqHiRbUp04f6fAmR58mrSA QhSZ8bfKb+L33uQfgp4NQBKtLRzOEphfAF9Z2KC9T/I3zgmsi3Dq+40zlPSg iTYNoGthgdILK6ScVwoc2YMzaUlIWG+aems3GDUdtnx0aylxYuZ12O0QJZvU XMrFfnSH5l9qeynL5KkNXpbS3jkCPIy+Tnj9lRqgOX4aJ95mqmYw3j0EMmh5 3hk17NDEX28pKZ8ym+bNMMcaffO3micwgUDTQuSrBkcYMTF9Yiot/pTK5aik fthQdY86kwJyVWi5UCZUnzat0luryDko2Jxo/QbmzH0CGHWoNcHCnfQgAXDp cCYyZ5vryYfv716FnGtA95otEN6VKe3LNrYnXnqVzMnD3guy2f8Cqid5wZ0j rS0y/P1v9Di6KRZt/yULxZEFTb1mqgc798iKzR2/VSbqFc6Wt8p9UuW/d8WF LFPt8qX1OqjfQ4JS04mmKeXe/6Y6MkVeyOLgjkeyCfFl11UELQYhdjz6F+59 nC/V4HfJbyBWgmAf3VuF6lbP/DX7+XlpYnYYM1Ja8XoF6cojPEX+1UexqqiR sYK8 =9mBm -----END PGP SIGNATURE----- -----------------------25f471d2ad3940267dbe6ed7076d72ad-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---