Closed theopolis closed 9 years ago
marpaia
commented
9 years ago I'd go with email list personally, as the kind of people that would want this are probably used to maintaining a collection of email lists? But I'd be interested in hearing from users on this.
sharvilshah
commented
9 years ago While email is nice that it will eventually get to everyone, I think it is also slow -- everyone gets too much email and everyone has filters. RSS has the same problem. RTD is nice as a wiki, but people only go there to look something up (how do I do X type of things).
Personally I have found that I learn about security updates/advisory first from twitter or a post to r/netsec, HackerNews or fb_eng notes.
So my suggestion:
The repo can be replaced/backed by minimal static blog on osquery.io
Just my two cents.
marpaia
commented
9 years ago @sharvilshah oOo, I like those suggestions a lot. We could run a blog on osquery.io proper and post security announcements there, and re-post them to netsec/twitter/etc. Why did you bring up having a git repo? Do people use git to manage/track vulns? Or was it more that it would be easy/convenient (which it really would be).
sharvilshah
commented
9 years ago @marpaia
We could run a blog on osquery.io proper and post security announcements there, and re-post them to netsec/twitter/etc.
:+1:
Why did you bring up having a git repo? Do people use git to manage/track vulns? Or was it more that it would be easy/convenient (which it really would be).
Convenience/dead simplicity mainly. I didn't see a blog/news section on osquery.io and just having git repo works. Also traditional blogs (wordpress et al) has a lot of infra overhead: database, keeping up with its security updates, comment/spam moderation, backups etc. Though this can be solved by using something like Jekyll or other static site generator.
I don't think tracking vulns via git is the norm, but have seen some around. The other benefit is seeing the history and my hypothesis is that it could provide slightly better transparency.
For instance seeing this Yubico advisory history, I know (and only because I stumbled on that repository) that it was published on 2015-04-15. Yet their official twitter and forum post didn't go out until 2015-04-24 and their blog post didn't go out until 2015-04-27. I can only speculate the reasons for that (and they aren't good: new product launch, Friday), it doesn't exactly inspire confidence on their runbook/procedures when this sort of thing happens again.
wxsBSD
commented
9 years ago My thoughts are an osquery-announce mailing list at a minimum. Every major project I've contributed to over the years has one and it is the de facto standard. An advisories or announcements page on osquery.io is also worth it.
I know some projects keep a private repo for advisories in the works and then move them to a public one when ready, but it is mostly done by moving it to the repo that is the website. I'd be in favor of that too.
Everything else (Twitter/reddit/HN) are best effort in my opinion.
IncludeSec
commented
9 years ago Announce on mailing list + add a page to osquery.io home page (a top level tab) named "releases" or "announcements" that's where major release announcements and security update alerts can be posted. If you do home page + mailing list, I don't think anybody can fault you. If you create some obscure repo on github, a lot of folks will miss that.
marpaia
commented
9 years ago thanks for all of the feedback everyone, we're going to give it a good think and put something together
If we have hi-priority security updates or vulnerability announcements we should have a standard and advertised method for updating osquery users. An email or RSS might be a little much but we can do anything given the osquery.io homepage, github release (tag) descriptions, the unused google-group replier, RTD updates, etc.
Recommendations?