Differences

This shows you the differences between two versions of the page.

Link to this comparison view

mailing-lists:distros [2017/11/20 14:38]
solar [List usage statistics] updated the headers-only archives
mailing-lists:distros [2019/03/11 04:58] (current)
solar [List policy and instructions for reporters] documented restrictions on attachment filenames
Line 46: Line 46:
 To report a non-public medium or high severity ((Overall severity as estimated by risk probability and risk impact product. We require that low severity security issues be reported to the public oss-security list right away.)) security issue to one of these lists, send e-mail to <​distros@vs.openwall.org>​ or <​linux-distros@vs.openwall.org>​ (just //one// of these lists depending on who you want to inform), preferably PGP-encrypted to the key below (yes, same key for both lists). ​ Be sure to **include ''​[vs]''​ (four characters) in the Subject line**, or your message will most likely ((We'​re using a whitelist approach.)) be rejected by the mail server. ​ (This helps us filter out spam, and confirm that you indeed read this policy before successfully sending anything to us.)  In your message, please **propose a (tentative) public disclosure date/time** for the issue. ((And if it is "right now" or "​already public",​ then don't post to these lists, but post to oss-security only instead.)) If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received. To report a non-public medium or high severity ((Overall severity as estimated by risk probability and risk impact product. We require that low severity security issues be reported to the public oss-security list right away.)) security issue to one of these lists, send e-mail to <​distros@vs.openwall.org>​ or <​linux-distros@vs.openwall.org>​ (just //one// of these lists depending on who you want to inform), preferably PGP-encrypted to the key below (yes, same key for both lists). ​ Be sure to **include ''​[vs]''​ (four characters) in the Subject line**, or your message will most likely ((We'​re using a whitelist approach.)) be rejected by the mail server. ​ (This helps us filter out spam, and confirm that you indeed read this policy before successfully sending anything to us.)  In your message, please **propose a (tentative) public disclosure date/time** for the issue. ((And if it is "right now" or "​already public",​ then don't post to these lists, but post to oss-security only instead.)) If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.
  
-Speaking of encryption, the supported message formats are: plain unencrypted messages, PGP/MIME (including with attachments),​ or inline PGP.  (In all of these cases, messages are distributed to list members (re-)encrypted to their own keys - except that **headers, including From and Subject, are not encrypted**,​ so you may want to avoid including security sensitive information in the Subject.) ​ However, manual PGP-encrypted attachments are not supported (so if you want to attach file(s) to your encrypted message, use PGP/MIME).+The supported message formats are: plain unencrypted messages ​(including with attachments), PGP/MIME (including with attachments),​ or inline PGP.  (In all of these cases, messages are distributed to list members (re-)encrypted to their own keys - except that **headers, including From and Subject, are not encrypted**,​ so you may want to avoid including security sensitive information in the Subject.) ​ However, ​**manual PGP-encrypted attachments are not supported** (so if you want to attach file(s) to your //encrypted// message, use PGP/MIME).  The **attachment filenames should be alphanumeric**,​ except that dot, minus sign, and underscore characters are allowed within the filenames (not as the first character of a filename).
  
 Please note that **the //maximum// acceptable embargo period for issues disclosed to these lists is 14 days**. ​ Please do not ask for a longer embargo. ​ In fact, **embargo periods shorter than 7 days are preferable**. ​ Please **notify upstream projects/​developers of the affected software**, other affected [[:​vendors|distro vendors]], and/or affected [[:​software|Open Source projects]] **//​before//​ notifying one of these mailing lists** in order to **ensure that these other parties are OK with the maximum embargo period that would apply** (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here. Please note that **the //maximum// acceptable embargo period for issues disclosed to these lists is 14 days**. ​ Please do not ask for a longer embargo. ​ In fact, **embargo periods shorter than 7 days are preferable**. ​ Please **notify upstream projects/​developers of the affected software**, other affected [[:​vendors|distro vendors]], and/or affected [[:​software|Open Source projects]] **//​before//​ notifying one of these mailing lists** in order to **ensure that these other parties are OK with the maximum embargo period that would apply** (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here.
mailing-lists/distros.txt ยท Last modified: 2019/03/11 04:58 by solar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux