I think it is not that clear and easy yet. Remember osol is licensed under ccdl and not all parts are open sourced (if I am not mistaken). e.g. zfs is not yet fully opened, so it is still unclear and uncertain how the suggested security repositories would be implemented and at what extent.
________________________________ From: Giovanni Tirloni <gtirl...@sysdroid.com> To: security-discuss at opensolaris.org Sent: Wed, March 24, 2010 3:02:24 PM Subject: [indiana-discuss] Reporting Security Issues (Was: Free /support, /security repository for 2010.x, wider OpenSolaris usage.) On Wed, Mar 24, 2010 at 9:34 AM, Nikola M. <minikola at gmail.com> wrote: > On 03/22/10 11:56 AM, George Koutras wrote: > > Considering Oracle's latest announcement that Osol will be community > driven, then it all comes to the community on how it will be developed and > released. > Yup that is what is the point. > > We need to organise to actually make and maintain security patches for > Released stable Opensolaris. > +1 > > There is much more people and organizations, then only ones with > Contracts, that use Opensolaris and there will be much more in the > future, so we need /security (and /updates) to be made and available to > All, the same way Opensolaris is. > There is many people that simply have no time in life to wait (and use) > only Mega-long-term supported releases like closed Solaris is. Life is > to short for that. > It is needed, Pronto, after 2010.03 release. (/security and /updates) > > Releasing 2009.06 /support could be good move from Oracle but future > (2010.x) and maintaining it openly (not closed source patches etc) is > more important. > Lets organise. I did a quick search trying to find how to report security issues to the OpenSolaris community and I couldn't find much. Is there anything that I'm missing ? Perhaps since most of the OpenSolaris committers are Sun employees and security issues got communicated by their customers, they didn't see the need to make it public. But I'm just guessing here. That being said, I think this would be a suggestion for the Security Community: create a public process for reporting security issues against OpenSolaris and a way to communicate them back to the community with impact, workaround, fixes, etc. Also, any commits to the source repository that fix security issues would have to be communicated fully. Today just buy following onnv-gate-notify it's hard to tell what's a security fix and what's not. Is there a way to scan for security fixes ? I'm moving this discussion to security-discuss for input. -- Giovanni _______________________________________________ indiana-discuss mailing list indiana-discuss at opensolaris.org http://mail.opensolaris.org/mailman/listinfo/indiana-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20100324/5e67e658/attachment.html>
