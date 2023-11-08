Hi,

After 15+ years of being a 100% volunteer effort, Openwall's maintenance of oss-security and (linux-)distros is finally sponsored by the OpenSSF, a project of the Linux Foundation. This sponsorship does not provide the Linux Foundation with the ability to set policies for community resources managed by Openwall. I am grateful for the support, which will help ensure continued operation of these resources on a new level while retaining independence.

As part of the sponsored effort, Openwall (currently me) took responsibility for the "statistics" contributing-back task:

"Keep track of per-report and per-issue handling and disclosure timelines (at least times of notification of (linux-)distros and of public disclosure on oss-security), at regular intervals produce and share statistics (most notably, the average embargo duration) as well as the input data (except on issues that are still under embargo) by posting to oss-security - primary: Openwall, backup: vacant"

At different times, this time-consuming task was handled by Gentoo and later by Amazon (thanks!) but was lately left unhandled. Due to the sponsorship, I've now retroactively produced statistics for 2023 so far:

https://oss-security.openwall.org/wiki/mailing-lists/distros/stats/2023

As expected, this uncovered a few mishandled issues, which I've recently pushed out to oss-security. That's why there are several reports (out of a total of 86) with embargo duration way in excess of the allowed maximum. This inflated the average duration accordingly, but the median stayed sane at 7 days. This is also why we need to, and now will, take care of the statistics task in real time, not only retroactively, so that any mishandling is identified and corrected promptly.

Also for the first time (something I haven't seen Gentoo and Amazon do) included are the source files I manually created based on review of the e-mail threads and external resources referenced from there. These files were processed with the also included (and permissively licensed) Perl script I wrote, so that others can reproduce the calculations or easily process the data differently.

Stay tuned for further updates.

Alexander