From predisclosure-applications-bounces@lists.xenproject.org Fri Nov 29 22:08:37 2024 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Fri, 29 Nov 2024 22:08:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.846063.1261324 (Exim 4.92) (envelope-from ) id 1tH9AB-0000KF-ET; Fri, 29 Nov 2024 22:08:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 846063.1261324; Fri, 29 Nov 2024 22:08:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tH9AB-0000KB-Bq; Fri, 29 Nov 2024 22:08:35 +0000 Received: by outflank-mailman (input) for mailman id 846063; Fri, 29 Nov 2024 22:08:34 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tH9AA-0000K5-5F for predisclosure-applications@lists.xenproject.org; Fri, 29 Nov 2024 22:08:34 +0000 Received: from flow-a1-smtp.messagingengine.com (flow-a1-smtp.messagingengine.com [103.168.172.136]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 7479f4d1-ae9e-11ef-99a3-01e77a169b0f; Fri, 29 Nov 2024 23:08:28 +0100 (CET) Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.phl.internal (Postfix) with ESMTP id E1B782005D1; Fri, 29 Nov 2024 17:08:24 -0500 (EST) Received: from phl-imap-06 ([10.202.2.83]) by phl-compute-12.internal (MEProxy); Fri, 29 Nov 2024 17:08:24 -0500 Received: by mailuser.phl.internal (Postfix, from userid 501) id 62B2829C006F; Fri, 29 Nov 2024 17:08:24 -0500 (EST) X-BeenThere: predisclosure-applications@lists.xenproject.org List-Id: Applications for membership of Xen Security Advisories Pre-disclosure List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: predisclosure-applications-bounces@lists.xenproject.org Precedence: list Sender: "Predisclosure-applications" X-Inumbo-ID: 7479f4d1-ae9e-11ef-99a3-01e77a169b0f X-Custom-Connection: eyJyZW1vdGVpcCI6IjEwMy4xNjguMTcyLjEzNiIsImhlbG8iOiJmbG93LWExLXNtdHAubWVzc2FnaW5nZW5naW5lLmNvbSJ9 X-Custom-Transaction: eyJpZCI6Ijc0NzlmNGQxLWFlOWUtMTFlZi05OWEzLTAxZTc3YTE2OWIwZiIsInRzIjoxNzMyOTE4MTA4LjMwMzk5Mywic2VuZGVyIjoieHNhQHNpZ21hc3F1YWRyb24ubmV0IiwicmVjaXBpZW50IjoicHJlZGlzY2xvc3VyZS1hcHBsaWNhdGlvbnNAbGlzdHMueGVucHJvamVjdC5vcmcifQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= sigmasquadron.net; h=cc:cc:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:reply-to :subject:subject:to:to; s=fm3; t=1732918104; x=1732925304; bh=jI Gl6Kbewy/a6Sc8VMhJZNJONDBIMk0M5Slm56Vd9Qc=; b=Oo4qeNxA44IAWmhshH JvCjT2C4rFinvVovGUOUrDdKi/j5aKHX1XnlrgoDpoK7XlvrO1npQV8pca7lxahK 3WWzfeJVPKgYQygIY/dpBiBfU4EAMwibQPTaJiV+qkYbCgksldB3Ks4/HJgWV/8b KMVY65o29PQNDxjWjAVWncWXZFF8GsA33Nc/xE1RVUIQmaKjhhzp6qLoIwrmW3Jx Q/i3Cm8O8K9BZs0U3FbVpq8mMxrwXgWospEkIs09ma0jiWVc75aWagLWjNs0Sb5S mPHo7lAcsP+id8hs0Hi3uzP61nsSAQHfb7T8zcqOlgiqFUqPe2M1jlHRlrdQueJL bpsg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=i383648a8.fm1; t= 1732918104; x=1732925304; bh=jIGl6Kbewy/a6Sc8VMhJZNJONDBIMk0M5Sl m56Vd9Qc=; b=QKEQIyz2QCICIxkBNthyX/RIWB9H5TI7lPB/u84s+ojHCGOkkC4 g+EDdth3dpb6lrdSupIspPGi/8naI4gEAzcqMvJcYkp9nHsOy/kn4sQqQq0aPnK/ Bgyoq+4lHpsvUl4Q5hIcFbB1xpvg34d8GN13pcjxCdm+wonAYylEfvDhrNEae6BX Vfwi4tUpZaWdaWsj1VIpOjc9yJGl4Ylqcq1DIIpuEcymymSbc5ed6xKtnUyl5Hd+ a8U980ZabrpBDN0FFggIwoZPHdcqi/FSIuSFlMt9Yhn4IuXF9j/ZBth9ygiu9iY1 yNBDKdsom46KXu92J+G9utHAikS7tdXTlDQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrheefgdduheehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefoggffhf hrvfevkffutgesmhdtreerredttdenucfhrhhomhepfdfhvghrnhgrnhguohcutfhoughr ihhguhgvshdfuceogihsrgesshhighhmrghsqhhurggurhhonhdrnhgvtheqnecuggftrf grthhtvghrnhepiedvffekhefgvdelvdfghfetvdfftdeigfefleeiheetgffgueevueei gfduhfeunecuffhomhgrihhnpehnihigohhsrdhorhhgpdhgihhthhhusgdrtghomhenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeigshgrsehs ihhgmhgrshhquhgrughrohhnrdhnvghtpdhnsggprhgtphhtthhopedvpdhmohguvgepsh hmthhpohhuthdprhgtphhtthhopehprhgvughishgtlhhoshhurhgvqdgrphhplhhitggr thhiohhnsheslhhishhtshdrgigvnhhprhhojhgvtghtrdhorhhgpdhrtghpthhtohepgi hsrgesnhhigihoshdrohhrgh X-ME-Proxy: Feedback-ID: i383648a8:Fastmail X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Fri, 29 Nov 2024 19:08:02 -0300 From: "Fernando Rodrigues" Reply-To: xsa@nixos.org To: predisclosure-applications@lists.xenproject.org Cc: xsa@nixos.org Message-Id: <29e6ccc3-4172-44c8-8152-747cbadd7f86@app.fastmail.com> Subject: NixOS would like to apply for the Xen Project Hypervisor Pre-disclosure List Content-Type: multipart/mixed; boundary=2c57555e188a4600bda2b7293bb33389 --2c57555e188a4600bda2b7293bb33389 Content-Type: text/plain Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Xen Project Security Team, I am writing on behalf of the NixOS Steering Committee and the Nixpkgs Xen Maintainers. NixOS is a Linux distribution based on the Nix Package Manager, and uses the Nixpkgs Package Collection, which is currently the single largest software repository out of all Linux distributions. We can be found at https://nixos.org, where users can download NixOS and set the virtualisation.xen.enable option to true in their system configuration in order to begin using NixOS as a Domain 0. We believe we fit the acceptance criteria as a distributor of an operating system with Xen support. As evidence of our public distribution, we provide these packages: https://search.nixos.org/packages?channel=unstable&size=4&buckets={"package_attr_set"%3A["No%20package%20set"]%2C"package_maintainers_set"%3A["Fernando%20Rodrigues"]}&sort=relevance&query=xen And the accompanying system configuration options: https://search.nixos.org/options?channel=unstable&size=36&sort=alpha_asc&query=virtualisation.xen.%2A The Xen Derivation (also known as a Nix Package Recipe) is expressed through the Nix Programming Language here: https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support/xen. Since the new Xen maintainers stepped up, this part of the Nixpkgs monorepo has been very active! The Xen Derivation is maintained by the Nixpkgs Xen Maintainers Team, described at https://nixos.org/community/teams/xen, where the current list of maintainers can be found. The three current maintainers will keep the private PGP key that decrypts embargoed XSAs. No one else in NixOS will have access to the mailing list. NixOS has a long history of responding to security issues. The xsa@nixos.org email is used exclusively to receive embargoed XSAs. For any Nix and NixOS-specific vulnerabilities, users can report their findings to the NixOS Security Team, described at https://nixos.org/community/teams/security, using PGP-encrypted mail. If any Xen-specific issues are reported to the NixOS Security Team, they will forward the information to the Xen Maintainers Team, which will notify upstream Xen if the issue lies in hypervisor's sources, and not in our downstream packaging. NixOS has a decentralised maintainership structure, so XSAs would be reviewed by the maintainers listed in the Xen Maintainers Team and the Security Team would only delegate their trust to the three Xen maintainers. The Xen Maintainers Team will notify the Xen Project and rotate the xsa@nixos.org PGP key in the unlikely event that a maintainer leaves or the key becomes compromised. We reiterate that the NixOS project concurs with the Xen Project Pre-disclosure Policy and vows to preserve the confidentiality of embargoed patches until the public disclosure date. We plan to use the embargo period to internally test the patches and ascertain that they will not break our distribution of Xen. Once the embargo ends, one of the members of the Nixpkgs Xen Maintainers Team will open a public pull request on our Git forge with the changes created during the embargo period. Nothing will be pushed to the open Internet before the embargo period has ended, and the patches have been merged into the upstream Xen tree. We assert that we are subscribing to the Pre-disclosure List under the e-mail address xsa@nixos.org and the attached PGP key's fingerprint is DD47 CA6C 1907 FD30 6A05 93C5 237B C92C 3D28 7674. Appreciatively yours, Fernando Rodrigues; On behalf of NixOS. -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTdR8psGQf9MGoFk8Uje8ksPSh2dAUCZ0dslwAKCRAje8ksPSh2 dMZ7AP482px+jCg1XTwdDO+C1UOchWDz59NlrAxQykwktloJKwEA4pabRYhyV0XF utWfpvWH9ZPtmxgS7J5zric6F2fOiAA= =nVkH -----END PGP SIGNATURE----- --2c57555e188a4600bda2b7293bb33389 Content-Disposition: attachment; filename*0="NixOS: Xen Security Advisory Encryption Key.asc" Content-Type: text/plain; name="=?UTF-8?Q?NixOS:_Xen_Security_Advisory_Encryption_Key.asc?=" Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptRE1FWjBkaVhSWUpLd1lC QkFIYVJ3OEJBUWRBLzk3bUNoYjJjUEU3RlJZTFZQam9XWXo4VjhsRUoyTmU2R3h1ClJlNHpr MVMwTzA1cGVFOVRPaUJZWlc0Z1UyVmpkWEpwZEhrZ1FXUjJhWE52Y25rZ1JXNWpjbmx3ZEds dmJpQkwKWlhrZ1BIaHpZVUJ1YVhodmN5NXZjbWMraUpNRUV4WUtBRHNXSVFUZFI4cHNHUWY5 TUdvRms4VWplOGtzUFNoMgpkQVVDWjBkaVhRSWJBd1VMQ1FnSEFnSWlBZ1lWQ2drSUN3SUVG Z0lEQVFJZUJ3SVhnQUFLQ1JBamU4a3NQU2gyCmRMZVBBUDlmRitrQk54ais1d0QwMStwVW1G VmVxTzFKVUI3a3ZhUmdnRWNlZW15Umd3RUE1ZnNhQ2pBbktaU3MKTXU5Qyt2RTNhdG9sWEV3 OU8raXNBcW1UZkhzcTZnVzRPQVJuUjJKZEVnb3JCZ0VFQVpkVkFRVUJBUWRBWm45UgppOENm MFBRa3pDRkVJWEdBV3QzOFZKZFF2TWdiYWlDOGtBZlBJMElEQVFnSGlIZ0VHQllLQUNBV0lR VGRSOHBzCkdRZjlNR29GazhVamU4a3NQU2gyZEFVQ1owZGlYUUliREFBS0NSQWplOGtzUFNo MmROMTRBUDBZbUIrcGkzbnEKZkZZRTZuUTcrMmpiVzF3TkJKR28zZzJxeTFVUTFsQk5sd0Qr S2tGOVJWRktobjBsbDJ3Z2lRWWt5T1AxSmIveApBVkNjV0s1RGJXWDR0UXc9Cj1ib3RPCi0t LS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K --2c57555e188a4600bda2b7293bb33389--