lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <73b8017b-fce9-4cb1-be48-fc8085f1c276@app.fastmail.com>
Date: Fri, 25 Oct 2024 16:15:42 +0100
From: "Jiaxun Yang" <jiaxun.yang@...goat.com>
To: linux-kernel@...r.kernel.org, conduct@...nel.org, security@...nel.org,
 cve@...nel.org, linux-doc@...r.kernel.org,
 "stable@...r.kernel.org" <stable@...r.kernel.org>
Cc: "Linus Torvalds" <torvalds@...ux-foundation.org>,
 "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>, shuah@...nel.org,
 lee@...nel.org, sashal@...nel.org, corbet@....net
Subject: Concerns over transparency of informal kernel groups

Dear Linux Community Members,

Over the years, various informal groups have formed within our community,
serving purposes such as maintaining connections with companies and external
bodies, handling sensitive information, making challenging decisions, and,
at times, representing the community as a whole. These groups contribute significantly
to our community's development and deserve our recognition and appreciation.

I'll name a few below that I identified from  `Documentation/`:
- Code of Conduct Committee <conduct@...nel.org>
- Linux kernel security team <security@...nel.org>
- Linux kernel hardware security team <hardware-security@...nel.org>
- Kernel CVE assignment team <cve@...nel.org>
- Stable Team for unpublished vulnerabilities <stable@...nel.org>
  (I suspect it's just an alias to regular stable team, but I found no evidence).

Over recent events, I've taken a closer look at how our community's governance
operates, only to find that there's remarkably little public information available
about those informal groups. With the exception of the Linux kernel hardware security
team, it seems none of these groups maintain a public list of members that I can
easily find.

Upon digging into the details, I’d like to raise a few concerns and offer some thoughts
for further discussion:

- Absence of a Membership Register
Our community is built on mutual trust. Without knowing who comprises these groups,
it's understandably difficult for people to have full confidence in their work.
A publicly available membership list would not only foster trust but also allow us to
address our recognition and appreciation.

- Lack of Guidelines for Actions
Many of these groups appear to operate without documented guidelines. While I trust each
respectful individual's integrity, documented guidelines would enable the wider community
to better understand and appreciate the roles and responsibilities involved.

- Insufficient Transparency in Decision-Making
I fully respect the need for confidentiality in handling security matters, yet some
degree of openness around decision-making processes is essential in my opinion.
Releasing communications post-embargo, for instance, could promote understanding and
prevent potential abuse of confidential procedures.

- No Conflict of Interest Policy
Particularly in the case of the Code of Conduct Committee, there may arise situations
where individuals face challenging decisions involving personal connections. A conflict
of interest policy would provide valuable guidance in such circumstances.

Thank you for reading. I know none of us enjoy being pulled away by these non-technical
concerns, we love coding after all. However, I feel these concerns are vital for the
community's continued health. It might be a candidate of Linux TAB discussion.

I'm looking forward to everyone's input.

Thanks
- Jiaxun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ