[arch-general] [arch-security] [Announcement] Discussion about restricting arch-security for public participation

Elmar Stellnberger estellnb at elstel.org
Thu Jan 28 15:29:18 UTC 2016 

   Now there are different opinions about this:
Some people certainly estimate comments, questions and discussion about 
security issues which do not solely pertain to updates of packages for 
already known security issues. Allowing discussion about potential 
security risks is also an important issue though certain package 
maintainers and arch-security personnel may feel discomforted about such 
discussions. Nonetheless I would believe such discussion to be 
worthwhile and important. Those who do not want to read it will not need 
to as soon as we have separate lists for "Discussion about security 
issues in Arch" and "Package updates for Arch resolving already known 
security issues".

Just read f.i. the following message from Luchesar V. ILIEV:

-------- Weitergeleitete Nachricht --------
Betreff: Re: [arch-security] strange netstat connections after having 
opened Firefox
Datum: Sat, 5 Dec 2015 15:46:32 +0200
Von: Luchesar V. ILIEV <luchesar.iliev at gmail.com>
Antwort an: Discussion about security issues in Arch Linux and its 
packages <arch-security at archlinux.org>
An: Discussion about security issues in Arch Linux and its packages 
<arch-security at archlinux.org>

On 5 December 2015 at 14:01, Christian Rebischke
<Chris.Rebischke at archlinux.org> wrote:
 > This mailinglist has a daily-business todo and was not designed for
 > discussions. [...]

The list name however says "Discussion about security issues in Arch
Linux and its packages". That being said, I understand what you mean
and agree with it.

 > [...] This mailinglist's main task is to
 > inform subscribers about newest vulnerabilities.

So, could perhaps the list be split into two: one list for
security-related discussions and one---moderated or even
"read-only"---strictly for security announcements? For example,
FreeBSD has these:

freebsd-security: Security issues [members-only posting]
freebsd-security-notifications: Moderated Security Notifications
[moderated, low volume]

The rationale is probably obvious. On one hand, people indeed expect a
list used for security announcements to be used _only_ for this. Some
might, for example, have set filters that mark such messages as
urgent, display nagging pop ups, etc. On the other hand, the plain old
e-mail still has value as a media for discussions. For example, it's
not very practical to digitally sign forum postings, and IRC is a
wholly different type of communication that might not always be
appropriate.

Cheers,
Luchesar

P.S. Slightly off-topic: my sincerest gratitude to everyone behind the
security announcements! You're doing a great job, and this is not just
empty words.


Am 2016-01-28 um 13:06 schrieb Elmar Stellnberger:
> I see that there is certain interest in separating messages about
> security updates in given packages from general security discussions and
> announcements. Nonetheless if the arch-security list becomes closed down
> for public participation then we are in need of a new list for the
> latter two purposes.
>
> Am 2016-01-28 um 01:41 schrieb Levente Polyak:
>> Dear arch-security subscribers,
>> Dear arch-general subscribers,
>>
>> the policy of the arch-security mailinglist is currently changed to a
>> restricted advisory announcements only list due to certain reason
>> roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
>>
>> As there was no announcement and discussion about this change yet, we
>> want to invite you to discuss the restriction of the arch-security
>> mailinglist on the CC-ed arch-general list. After making sure you are
>> subscribed to arch-general [2], you can simply reply to this
>> announcement by posting directly to the arch-general mailinglist.
>>
>> Our main goal behind this change is to separate relevant official
>> announcements and advisories from possibly long and frequent
>> discussions. The security teams idea is that each announcement to the
>> arch-security list should be considered as an urgent alert and reviewed
>> as soon as possible, without the need to filter them from general
>> conversations and exchange of "unverified" information.
>>
>> sincerely,
>> Levente (anthraxx)
>>
>> [0]
>> https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html
>>
>> [1]
>> https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.html
>>
>> [2] https://lists.archlinux.org/listinfo/arch-general
>>
>

More information about the arch-general mailing list