Renaming the yocto-security mailing list

Renaming the yocto-security mailing list

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 627 bytes --]

Hello all,
yesterday's incident confirms that yocto-security has a confusing name that
might cause confidential reports to arrive there.

What about renaming the list to yocto-security-discussion or similar? And
eventually redirect yocto-security to the private security list.

My reasoning: we shouldn't rename the private list as people might use old
versions of documentation and we want them to address the correct private
list when needed. It is less critical if a message expected for the public
list reaches the private one, than otherwise.

What do you think? What is the process to do the change?

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 792 bytes --]

Re: [yocto] Renaming the yocto-security mailing list

[Rudolf J Streif]

I don't any specifics about the incident. I suppose security-relevant 
information was submitted to a public mailing list. A private mailing 
list may help but in the end it's security-by-obfuscation. A mailing 
list for submitting CVEs is not the best choice imho. A secure web form 
should be better. We have a CVE Status page 
(https://wiki.yoctoproject.org/wiki/CVE_Status) that lists the current 
acknowledged CVEs but of course reported CVEs should go through an 
investigative filter and potentially sanitizing first before put on that 
page.

:rjs

On 8/19/25 8:08 AM, Marta Rybczynska via lists.yoctoproject.org wrote:
> Hello all,
> yesterday's incident confirms that yocto-security has a confusing name 
> that might cause confidential reports to arrive there.
>
> What about renaming the list to yocto-security-discussion or similar? 
> And eventually redirect yocto-security to the private security list.
>
> My reasoning: we shouldn't rename the private list as people might use 
> old versions of documentation and we want them to address the correct 
> private list when needed. It is less critical if a message expected 
> for the public list reaches the private one, than otherwise.
>
> What do you think? What is the process to do the change?
>
> Kind regards,
> Marta
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#65770): https://lists.yoctoproject.org/g/yocto/message/65770
> Mute This Topic: https://lists.yoctoproject.org/mt/114782606/3617932
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [rudolf.streif@ibeeto.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [yocto] Renaming the yocto-security mailing list

[Michael Halstead]

I've updated yocto-security@lists.yoctoproject.org to require
moderator approval for new topics. This should prevent private
security reports from being posted publicly by mistake.
security@yoctoproject.org is not a private list but instead forwards
email received to members of the security team.

I believe this solves the issue without requiring changes to the list
name or documentation.

On Tue, Aug 19, 2025 at 2:50 PM Rudolf J Streif via
lists.yoctoproject.org
<rudolf.streif=ibeeto.com@lists.yoctoproject.org> wrote:
>
> I don't any specifics about the incident. I suppose security-relevant
> information was submitted to a public mailing list. A private mailing
> list may help but in the end it's security-by-obfuscation. A mailing
> list for submitting CVEs is not the best choice imho. A secure web form
> should be better. We have a CVE Status page
> (https://wiki.yoctoproject.org/wiki/CVE_Status) that lists the current
> acknowledged CVEs but of course reported CVEs should go through an
> investigative filter and potentially sanitizing first before put on that
> page.
>
> :rjs
>
> On 8/19/25 8:08 AM, Marta Rybczynska via lists.yoctoproject.org wrote:
> > Hello all,
> > yesterday's incident confirms that yocto-security has a confusing name
> > that might cause confidential reports to arrive there.
> >
> > What about renaming the list to yocto-security-discussion or similar?
> > And eventually redirect yocto-security to the private security list.
> >
> > My reasoning: we shouldn't rename the private list as people might use
> > old versions of documentation and we want them to address the correct
> > private list when needed. It is less critical if a message expected
> > for the public list reaches the private one, than otherwise.
> >
> > What do you think? What is the process to do the change?
> >
> > Kind regards,
> > Marta
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#65771): https://lists.yoctoproject.org/g/yocto/message/65771
> Mute This Topic: https://lists.yoctoproject.org/mt/114782606/1003190
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mhalstead@linuxfoundation.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>


-- 
Michael Halstead
Linux Foundation / Yocto Project
Systems Operations Engineer

Re: [OE-core] [yocto] Renaming the yocto-security mailing list

[Philip Balister]

Michael,

Who are the moderators?

Philip

On 8/19/25 6:41 PM, Michael Halstead via lists.openembedded.org wrote:
> I've updated yocto-security@lists.yoctoproject.org to require
> moderator approval for new topics. This should prevent private
> security reports from being posted publicly by mistake.
> security@yoctoproject.org is not a private list but instead forwards
> email received to members of the security team.
> 
> I believe this solves the issue without requiring changes to the list
> name or documentation.
> 
> On Tue, Aug 19, 2025 at 2:50 PM Rudolf J Streif via
> lists.yoctoproject.org
> <rudolf.streif=ibeeto.com@lists.yoctoproject.org> wrote:
>>
>> I don't any specifics about the incident. I suppose security-relevant
>> information was submitted to a public mailing list. A private mailing
>> list may help but in the end it's security-by-obfuscation. A mailing
>> list for submitting CVEs is not the best choice imho. A secure web form
>> should be better. We have a CVE Status page
>> (https://wiki.yoctoproject.org/wiki/CVE_Status) that lists the current
>> acknowledged CVEs but of course reported CVEs should go through an
>> investigative filter and potentially sanitizing first before put on that
>> page.
>>
>> :rjs
>>
>> On 8/19/25 8:08 AM, Marta Rybczynska via lists.yoctoproject.org wrote:
>>> Hello all,
>>> yesterday's incident confirms that yocto-security has a confusing name
>>> that might cause confidential reports to arrive there.
>>>
>>> What about renaming the list to yocto-security-discussion or similar?
>>> And eventually redirect yocto-security to the private security list.
>>>
>>> My reasoning: we shouldn't rename the private list as people might use
>>> old versions of documentation and we want them to address the correct
>>> private list when needed. It is less critical if a message expected
>>> for the public list reaches the private one, than otherwise.
>>>
>>> What do you think? What is the process to do the change?
>>>
>>> Kind regards,
>>> Marta
>>>
>>>
>>>
>>
>>
>>
> 
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#222151): https://lists.openembedded.org/g/openembedded-core/message/222151
> Mute This Topic: https://lists.openembedded.org/mt/114790185/384425
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [philip@balister.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core] [yocto] Renaming the yocto-security mailing list

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 2915 bytes --]

This is an excellent question. We do want new discussions around security
topics, so this moderation should be efficient.

Kind regards,
Marta

On Wed, Aug 20, 2025 at 11:53 AM Philip Balister <philip@balister.org>
wrote:

> Michael,
>
> Who are the moderators?
>
> Philip
>
> On 8/19/25 6:41 PM, Michael Halstead via lists.openembedded.org wrote:
> > I've updated yocto-security@lists.yoctoproject.org to require
> > moderator approval for new topics. This should prevent private
> > security reports from being posted publicly by mistake.
> > security@yoctoproject.org is not a private list but instead forwards
> > email received to members of the security team.
> >
> > I believe this solves the issue without requiring changes to the list
> > name or documentation.
> >
> > On Tue, Aug 19, 2025 at 2:50 PM Rudolf J Streif via
> > lists.yoctoproject.org
> > <rudolf.streif=ibeeto.com@lists.yoctoproject.org> wrote:
> >>
> >> I don't any specifics about the incident. I suppose security-relevant
> >> information was submitted to a public mailing list. A private mailing
> >> list may help but in the end it's security-by-obfuscation. A mailing
> >> list for submitting CVEs is not the best choice imho. A secure web form
> >> should be better. We have a CVE Status page
> >> (https://wiki.yoctoproject.org/wiki/CVE_Status) that lists the current
> >> acknowledged CVEs but of course reported CVEs should go through an
> >> investigative filter and potentially sanitizing first before put on that
> >> page.
> >>
> >> :rjs
> >>
> >> On 8/19/25 8:08 AM, Marta Rybczynska via lists.yoctoproject.org wrote:
> >>> Hello all,
> >>> yesterday's incident confirms that yocto-security has a confusing name
> >>> that might cause confidential reports to arrive there.
> >>>
> >>> What about renaming the list to yocto-security-discussion or similar?
> >>> And eventually redirect yocto-security to the private security list.
> >>>
> >>> My reasoning: we shouldn't rename the private list as people might use
> >>> old versions of documentation and we want them to address the correct
> >>> private list when needed. It is less critical if a message expected
> >>> for the public list reaches the private one, than otherwise.
> >>>
> >>> What do you think? What is the process to do the change?
> >>>
> >>> Kind regards,
> >>> Marta
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#222151):
> https://lists.openembedded.org/g/openembedded-core/message/222151
> > Mute This Topic: https://lists.openembedded.org/mt/114790185/384425
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> philip@balister.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>

[-- Attachment #2: Type: text/html, Size: 4755 bytes --]

Re: [OE-core] [yocto] Renaming the yocto-security mailing list

[Michael Halstead]

On Wed, Aug 20, 2025 at 5:35 AM Marta Rybczynska <rybczynska@gmail.com> wrote:
>
> This is an excellent question. We do want new discussions around security topics, so this moderation should be efficient.
>
> Kind regards,
> Marta
>
> On Wed, Aug 20, 2025 at 11:53 AM Philip Balister <philip@balister.org> wrote:
>>
>> Michael,
>>
>> Who are the moderators?

I am currently the only moderator. I'll email the security group and
ask for more volunteers.

>>
>> Philip
>>
>> On 8/19/25 6:41 PM, Michael Halstead via lists.openembedded.org wrote:
>> > I've updated yocto-security@lists.yoctoproject.org to require
>> > moderator approval for new topics. This should prevent private
>> > security reports from being posted publicly by mistake.
>> > security@yoctoproject.org is not a private list but instead forwards
>> > email received to members of the security team.
>> >
>> > I believe this solves the issue without requiring changes to the list
>> > name or documentation.
>> >
>> > On Tue, Aug 19, 2025 at 2:50 PM Rudolf J Streif via
>> > lists.yoctoproject.org
>> > <rudolf.streif=ibeeto.com@lists.yoctoproject.org> wrote:
>> >>
>> >> I don't any specifics about the incident. I suppose security-relevant
>> >> information was submitted to a public mailing list. A private mailing
>> >> list may help but in the end it's security-by-obfuscation. A mailing
>> >> list for submitting CVEs is not the best choice imho. A secure web form
>> >> should be better. We have a CVE Status page
>> >> (https://wiki.yoctoproject.org/wiki/CVE_Status) that lists the current
>> >> acknowledged CVEs but of course reported CVEs should go through an
>> >> investigative filter and potentially sanitizing first before put on that
>> >> page.
>> >>
>> >> :rjs
>> >>
>> >> On 8/19/25 8:08 AM, Marta Rybczynska via lists.yoctoproject.org wrote:
>> >>> Hello all,
>> >>> yesterday's incident confirms that yocto-security has a confusing name
>> >>> that might cause confidential reports to arrive there.
>> >>>
>> >>> What about renaming the list to yocto-security-discussion or similar?
>> >>> And eventually redirect yocto-security to the private security list.
>> >>>
>> >>> My reasoning: we shouldn't rename the private list as people might use
>> >>> old versions of documentation and we want them to address the correct
>> >>> private list when needed. It is less critical if a message expected
>> >>> for the public list reaches the private one, than otherwise.
>> >>>
>> >>> What do you think? What is the process to do the change?
>> >>>
>> >>> Kind regards,
>> >>> Marta
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> > Links: You receive all messages sent to this group.
>> > View/Reply Online (#222151): https://lists.openembedded.org/g/openembedded-core/message/222151
>> > Mute This Topic: https://lists.openembedded.org/mt/114790185/384425
>> > Group Owner: openembedded-core+owner@lists.openembedded.org
>> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [philip@balister.org]
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> >
>>


-- 
Michael Halstead
Linux Foundation / Yocto Project
Systems Operations Engineer