On Wed, 24 Mar 2010, Giovanni Tirloni wrote: > On Wed, Mar 24, 2010 at 9:34 AM, Nikola M. <minikola at gmail.com> wrote: > >> On 03/22/10 11:56 AM, George Koutras wrote: >>> Considering Oracle's latest announcement that Osol will be community >> driven, then it all comes to the community on how it will be developed and >> released. >> Yup that is what is the point. >> >> We need to organise to actually make and maintain security patches for >> Released stable Opensolaris. >> > > +1 > > >> >> There is much more people and organizations, then only ones with >> Contracts, that use Opensolaris and there will be much more in the >> future, so we need /security (and /updates) to be made and available to >> All, the same way Opensolaris is. >> There is many people that simply have no time in life to wait (and use) >> only Mega-long-term supported releases like closed Solaris is. Life is >> to short for that. >> It is needed, Pronto, after 2010.03 release. (/security and /updates) >> >> Releasing 2009.06 /support could be good move from Oracle but future >> (2010.x) and maintaining it openly (not closed source patches etc) is >> more important. >> Lets organise. > > > I did a quick search trying to find how to report security issues to the > OpenSolaris community and I couldn't find much. Is there anything that I'm > missing ?
We use the same path for all of Sun's products. security-alert at sun.com is one way, for now, but that may be changing (like many of Sun's procedures). You can find more information here: http://blogs.sun.com/security/ And as for Oracle's method for external people to report issues, you can find that here: http://www.oracle.com/technology/deploy/security/alerts.htm ( secalert_us at oracle.com ) > > Perhaps since most of the OpenSolaris committers are Sun employees and > security issues got communicated by their customers, they didn't see the > need to make it public. But I'm just guessing here. Security Vulnerabilities are generally not made public by any vendor while being investigated. There are even organizations that coordinate cross platform issues. When there is information to communicate, you can find them in SunAlerts, which also cover OpenSolaris versions that may be impacted. > That being said, I think this would be a suggestion for the Security > Community: create a public process for reporting security issues against > OpenSolaris and a way to communicate them back to the community with impact, > workaround, fixes, etc. Such a process already exists (see above) and due to the nature of how vulnerabilities need to be handled (particularly when you're looking at multiple vendors), it is a very complicated issue. > > Also, any commits to the source repository that fix security issues would > have to be communicated fully. Today just buy following onnv-gate-notify > it's hard to tell what's a security fix and what's not. Is there a way to > scan for security fixes ? Follow the RSS feed here: http://blogs.sun.com/security/ Hope that helps, Valerie -- Sponsor me in the Breathe Easy Ride - 100 miles - June 26! Money raised goes to the American Lung Association: http://action.lungusa.org/goto/valerie
