May 28, 2008
Yesterday, Red Hat has created a new initiative called The Open Source Software Security community (OSS-Security for
short). The new project is a mailing list–based approach, in which Linux security issues can be discussed openly and
Red Hat's work comes on the heels of Google, Novell and others supporting an open source CERT (Computer Emergency
Response Team) effort, called o-Cert. Though Red Hat is supportive of o-CERT, it's not an official member, least
Overall, Red Hat participates in numerous security efforts, including the vital vendor-sec group, in
which security vulnerabilities are regularly reported. OSS-security fulfills a different role than vendor-sec.
Josh Bressers, senior engineer for Red Hat's security response team said "OSS-security is not affiliated with
o-CERT in any way, nor is it meant to compete with them. Instead, o-CERT specializes in the handling of sensitive
and "embargoed" security issues."
He added "the target of OSS-security is not handling sensitive issues but rather the
open discussion of public issues and daily challenges in the Linux community."
Red Hat's new initiative is meant to act as a public community effort with respect to handling many variances of
open source security issues.
"We link to OSS-security from o-CERT.org, and one of the people that started OSS-security is on the o-CERT board,"
said Andrea Barisani, o-CERT's founder. "We are complementary and far from being competitive, and in the open
source security world all the help we can get is always welcome."
On the other hand, the OSS-security group is meant to act as a public community effort with respect to handling
open source security issues. "The purpose of vendor-sec is to be a closed private group," Bressers noted.
He added "the very nature of vendor-sec makes it ideal for handling embargoed sensitive security issues, but certainly doesn't
address the issue of public discussion," he said, explaining that "Public discussion is the very heart of the
ideals of open source and Linux."
Red Hat isn't the only member of OSS-security. Mandriva, Foresight Linux and Openwall are also active
participants. Bressers was also quick to point out that neither Red Hat nor the OSS-security group is soliciting
open source projects to participate in this effort.
"The common goal of this group is to fill the current vacuum for discussing and handling the unique challenges
the Linux and open source community must focus on when handling security issues," Bressers said.
"Regardless of their affiliation, anyone is welcome to participate in this new initiative," Bressers said.
"Rather than explicitly solicit participation from other projects, we are confident that by building a strong
community, it will broaden participation."
Source: Red Hat.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.