From predisclosure-applications-bounces@lists.xenproject.org Thu Dec 05 17:17:16 2024 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 05 Dec 2024 17:17:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.849193.1263841 (Exim 4.92) (envelope-from ) id 1tJFTX-0000vn-61; Thu, 05 Dec 2024 17:17:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 849193.1263841; Thu, 05 Dec 2024 17:17:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tJFTX-0000vj-3O; Thu, 05 Dec 2024 17:17:15 +0000 Received: by outflank-mailman (input) for mailman id 849193; Thu, 05 Dec 2024 17:09:10 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tJFLi-0008GJ-4d for predisclosure-applications@lists.xenproject.org; Thu, 05 Dec 2024 17:09:10 +0000 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [2a00:1450:4864:20::32c]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id a2d912ca-b32b-11ef-a0d5-8be0dac302b0; Thu, 05 Dec 2024 18:09:08 +0100 (CET) Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-434a95095efso14224615e9.0 for ; Thu, 05 Dec 2024 09:09:07 -0800 (PST) Received: from [192.168.1.10] (host-92-26-98-202.as13285.net. [92.26.98.202]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434da1133c3sm29336525e9.31.2024.12.05.09.09.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 05 Dec 2024 09:09:05 -0800 (PST) X-BeenThere: predisclosure-applications@lists.xenproject.org List-Id: Applications for membership of Xen Security Advisories Pre-disclosure List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: predisclosure-applications-bounces@lists.xenproject.org Precedence: list Sender: "Predisclosure-applications" X-Inumbo-ID: a2d912ca-b32b-11ef-a0d5-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1733418546; x=1734023346; darn=lists.xenproject.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=W4NDmcb/HscXSJdN4XZ+3G7d4BYyZNYp4GB3SCP9cjI=; b=gXPzZBcA2hPjCO9HHoZ0mjTIDhfJOrtFU5wsDiKyFzwDODzNoSs2+2sKXiIkViHJQ1 MtYRu9yTXywmCow/a852DwqliZwHiPgoLZAQp7RBdCSd4eb/E13h49WBGi3soHlAXUeE qAnU7RmjbuI+fdYvWzmKHc4yWQZ49wvsGs6eQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733418546; x=1734023346; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=W4NDmcb/HscXSJdN4XZ+3G7d4BYyZNYp4GB3SCP9cjI=; b=gXv+rudzXcx6iNYkdEVc+rxVZW68J1Kr0o9uFL/V9qlUlsCatZ7AT2csOIqHuZjMOq BuFMJF7A7/DBTkawkjmXQlbM+RzwDojyfI+ilyLxClCRw7WyEI2/YgNKVO6Zt5saq56E gzuOu594vmZJoK8tg0x1c7Xx/xEvWScMsSZRRlLGDKoihf2GMVR9TJjnDVnr6gLNJtJ1 IN6FWQVgzBah1+ZOMU0sezzeAK9RGTh8yz7GGQGRuX+C3JEpxCYwq/nrD1kM6/861uaF Evn/bTnVzdpD27pKfB2r2Or8aeg6PBnErPBrdsvKPvC7DgmcckjF3nd+LnOHTw1Rhg2W ba1w== X-Forwarded-Encrypted: i=1; AJvYcCU0mOsXsI9cxobPsWPaKQNoKA7frZCgqoNOb/cQYpTZ7/WQZq4jiUQOmnP1BjzFewS6UuwPioTC4NCjtNm1NVK4luIUfVNfZGn1YA==@lists.xenproject.org X-Gm-Message-State: AOJu0YxuJ96QoL7L8UwiuWMJSVkktFMyXDT24SbzqVlIyCPIRfR+1Ntm F8o8npxKdm2kAx9FRKXNRu+7f1K4yyPNH+7ws715ixQMdeHNzzP7QXJJahfu5EA= X-Gm-Gg: ASbGncvgo8Tlpjw46mojmANQaxiY5BDLfeEWCmjHUwVvwZ8F+MtNkctyLZjjngjY30T imoU6rECwbEoa+P4MrTwOFOVC+Cdq6Lo6epvYo6XadZoI72/Rgmv6yCx+RcN1ZqeXGWjNo3IwXB gvFTad51Cxx3EX3WZuIdtguk1LdorroP0MBjkh5zhZcMu+yCS3820K+LCGEeoRVJcrCBcqOXnbs C7qrvIXygsDyiu7loUP31XNGALKRlKc/LLmMJlhWCAf2/nBK6P7qpaobJL2rzP6xBaPNmDiLExV hHhHqOimHNT2pQ== X-Google-Smtp-Source: AGHT+IEQMOcYgrIv+jzzj7X6tBeQir4QysCyLy2DFNaLcXcgX4qEkEVrWV0uuGtDEaPYpvXKdhSBVA== X-Received: by 2002:a5d:47a1:0:b0:385:eeb9:a5d9 with SMTP id ffacd0b85a97d-3861bb4c757mr3402959f8f.2.1733418546401; Thu, 05 Dec 2024 09:09:06 -0800 (PST) Message-ID: <8aafbb11-48cd-408c-8f11-0a83549c6297@citrix.com> Date: Thu, 5 Dec 2024 17:09:05 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: NixOS would like to apply for the Xen Project Hypervisor Pre-disclosure List To: xsa@nixos.org, predisclosure-applications@lists.xenproject.org References: <29e6ccc3-4172-44c8-8152-747cbadd7f86@app.fastmail.com> Content-Language: en-GB From: Andrew Cooper Autocrypt: addr=andrew.cooper3@citrix.com; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA== In-Reply-To: <29e6ccc3-4172-44c8-8152-747cbadd7f86@app.fastmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 29/11/2024 10:08 pm, Fernando Rodrigues wrote: > Dear Xen Project Security Team, > > I am writing on behalf of the NixOS Steering Committee and the Nixpkgs Xen > Maintainers. NixOS is a Linux distribution based on the Nix Package > Manager, > and uses the Nixpkgs Package Collection, which is currently the single > largest > software repository out of all Linux distributions. > > We can be found at https://nixos.org, where users can download NixOS > and set > the virtualisation.xen.enable option to true in their system > configuration in > order to begin using NixOS as a Domain 0. We believe we fit the acceptance > criteria as a distributor of an operating system with Xen support. > > As evidence of our public distribution, we provide these packages: > https://search.nixos.org/packages?channel=unstable&size=4&buckets={"package_attr_set"%3A["No%20package%20set"]%2C"package_maintainers_set"%3A["Fernando%20Rodrigues"]}&sort=relevance&query=xen > And the accompanying system configuration options: > https://search.nixos.org/options?channel=unstable&size=36&sort=alpha_asc&query=virtualisation.xen.%2A > > The Xen Derivation (also known as a Nix Package Recipe) is expressed > through the > Nix Programming Language here: > https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support/xen. > Since the new Xen maintainers stepped up, this part of the Nixpkgs > monorepo has > been very active! > > The Xen Derivation is maintained by the Nixpkgs Xen Maintainers Team, > described > at https://nixos.org/community/teams/xen, where the current list of > maintainers > can be found. The three current maintainers will keep the private PGP > key that > decrypts embargoed XSAs. No one else in NixOS will have access to the > mailing list. > > NixOS has a long history of responding to security issues. The > xsa@nixos.org > email is used exclusively to receive embargoed XSAs. For any Nix and > NixOS-specific vulnerabilities, users can report their findings to the > NixOS > Security Team, described at > https://nixos.org/community/teams/security, using > PGP-encrypted mail. If any Xen-specific issues are reported to the NixOS > Security Team, they will forward the information to the Xen > Maintainers Team, > which will notify upstream Xen if the issue lies in hypervisor's > sources, and > not in our downstream packaging. > > NixOS has a decentralised maintainership structure, so XSAs would be > reviewed > by the maintainers listed in the Xen Maintainers Team and the Security > Team > would only delegate their trust to the three Xen maintainers. > The Xen Maintainers Team will notify the Xen Project and rotate the > xsa@nixos.org > PGP key in the unlikely event that a maintainer leaves or the key > becomes compromised. > > We reiterate that the NixOS project concurs with the Xen Project > Pre-disclosure Policy > and vows to preserve the confidentiality of embargoed patches until > the public > disclosure date. We plan to use the embargo period to internally test the > patches and ascertain that they will not break our distribution of > Xen. Once > the embargo ends, one of the members of the Nixpkgs Xen Maintainers > Team will > open a public pull request on our Git forge with the changes created > during the > embargo period. Nothing will be pushed to the open Internet before the > embargo > period has ended, and the patches have been merged into the upstream > Xen tree. > > We assert that we are subscribing to the Pre-disclosure List under the > e-mail > address xsa@nixos.org and the attached PGP key's fingerprint is DD47 > CA6C 1907 FD30 6A05  93C5 237B C92C 3D28 7674. > > Appreciatively yours, > > Fernando Rodrigues; > On behalf of NixOS. Thankyou.  Everything seems in order. We'll get your email alias added shortly. ~Andrew, on behalf of the Xen Security Team.