[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Coverity + XenProject + Process?


We have a static analyzer setup for Xen called Coverity. It allows
the code to be inspected for bugs and such.

Originally I setup this so that we could make sure that there are no
bugs that cause security issues - and as such invited only folks
on the security Xen mailing list.

But there are other folks who I am sure would like to contribute
and as Coverity is pretty amazing at analyzing issues and providing
a good idea of how to fix it - was wondering what should be the
procedure for involving volunteers for that?

Initially it was recommended that they agree to the security
disclosure (http://www.xenproject.org/security-policy.html) and
will agree to use by default the "Two working weeks between issue
of our advisory to our predisclosure list and publication."

But I am not sure who should have the power to veto/accept
volunteers? Should security@xxxxxxx do that? Or should folks
at Xen Devel mailing list be involved in it as well?

Should that security disclosure be used for that as well?

Thank you.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.