Xen project Mailing List

Re: [Predisclosure-applications] Application for predisclosure list from CloudLinux Inc

From: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

Date: Fri, 22 Apr 2016 19:03:34 +0100

Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Fri, 22 Apr 2016 18:03:42 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Igor, apologies for the delay. We somehow missed your application. Igor Seletskiy writes ("[Predisclosure-applications] Application for predisclosure list from CloudLinux Inc"): > * KernelCare is a rebootless kernel updates service, that using > technology similar to ksplice & livepatch patches vulnerabilities in > running kernels without the need for reboot. It is our wish to start > providing kernel patching for Xen4CentOS kernels, and we believe > that being on predisclosure list would let us have binary patches > prepared in advance - so we can distribute them right after public > announcement. > > * KernelCare is the product that patches Xen kernels We think this means you are applying in one of these two (somewhat overlapping) categories, from the policy: * Vendors of Xen-based systems; * Distributors of operating systems with Xen support. We understand that your service distributes Linux kernel patches to your users. This is confirmed by this url from your mail: > - http://www.streetinsider.com/Press+Releases/ > KernelCare+Now+Support+Proxmox+VE+Servers+with+Rebootless+Security+Updates/ > 11115997.html Given that we sometimes issue advisories for Xen-related kernel bugs, it seems appropriate for a kernel update distributor such as yourselves to qualify in the same way that a Xen hypervisor update distributor would do, provided that you support (provide patches for) the Xen features in those kernels. Unfortunately we were not able to find in your mail a reference to a qualifying web page which mentions that you support those Xen features. The policy requires us to look for: Evidence of your status as a user/distributor of Xen: * Statements about, or descriptions of, your eligible production services or released software, from which it is immediately evident that they use Xen. In the context of a service such as yours, we think that this means that it must be immediately evident that you provide patches for installations of the applicable kernels _which are using Xen_. Additionally, the policy requires you to provide a URL for: Information about your handling of security problems: * Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you; * Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use. We didn't see this in your email. There were a few URLs in your message which we have not been able to consider: >> * kernelcare.com - we are a software vendor that provides software to apply > security patches for running kernels without reboot for large number of linux > distributions. The software is used on 50,000+ servers by various enterprises > and service providers. > -- whitepaper: http://kernelcare.com/2.0/whitepaper.pdf I viewed this whitepaper in the mupdf and evince PDF viewers in Debian wheezy and much of it seems to be blank or inaccessible. Could you please attach the PDF. > -- kernelcare blog posts: https://www.cloudlinux.com/kernelcare-blog The policy precludes us from looking at blog posts. > - http://www.thehostingnews.com/ > cloudlinux-announces-kernelcare-com-rebootless-kernel-update-service-31190.html The policy requires us to look at only your own public web pages. Please do resubmit your application with URLs to the further required information, as and when you that available. Thanks, Lars and Ian > On 18 Apr 2016, at 18:58, Igor Seletskiy <i@xxxxxxxxxxxxxx> wrote: > > Hello, > > We have never received the answer. It would be great if we could get the > access. > KernelCare now supports Xen4CentOS kernels, and it would help us & our > clients a lot if we would get advance notice about vulnerabilities. > > > Regards, > Igor Seletskiy | CEO > Skype: iseletsk > <we-are-cloudlinux.png> > CloudLinux.com | KernelCare.com | KuberDock.com > > helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support > Follow twitter.com/CloudLinuxOS for technical updates > _______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.