[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request

Jennifer Helsby writes ("[Predisclosure-applications] SecureDrop / Freedom of 
the Press Foundation request"):
> Hello list members,
> SecureDrop / Freedom of the Press Foundation would like to apply to join the 
> Xen pre-disclosure list.

Hi.  Thanks for your application.

We think that, unfortunately, right now you don't qualify because

> > Evidence of your status as a user/distributor of Xen:
> > Statements about, or descriptions of, your eligible production services or 
> > released software, from which it is immediately evident that they use Xen.
> The workstation at https://github.com/freedomofpress/securedrop-workstation 
> requires the use of Qubes/Xen.

this software is not "released" in the appropriate sense.  The page
itself says:

  IMPORTANT: This project is in alpha, has known bugs and shortcomings,
  and should not be used in production environments.

and gives a link to a known set of existing security issues.  It
doesn't seem to us that you are in a position to immimently remove
that caveat.  When you make (or are about to make) a release that
might be used in production (although perhaps only by advanced users
who will tolerate bugs - a beta, you might say) we think you will

As a matter of transparency we also wanted in this mail (which is
published on the list) to discuss two other issues which arose.

Firstly, it seemed to us unclear whether you were distributing a
modified version of QubesOS - and how relevant this was to whether you
qualify under the Xen Project Policy.  We reviewed your
securedrop-workstation repository.  It seems to mostly be a
configuration management setup, which assembles a system (including
Xen components) on your users' systems.  We felt that this was
sufficient for you to qualify.  One consideration in your favour was
that you might very well want, for example, to modify that
configuration management repository to deploy workarounds for
vulnerabilities.  You might also want to discuss your response to a
vulnerability with Qubes.  It seemed to us that the appropriate way
for these things to be achieved would be for you to be on the
predisclosure list.

Secondly, we think your application was the first where links to
Markdown files on a 3rd-party git hosting service were offered in
response to the policy requirement for "Link(s) to current public web
pages, belonging to your organisation".  We concluded that this common
approach does amount to web hosting, even though it doesn't use a
domain name owned by you.  People often use their git hosting toplevel
page, with the formatted README.md, as their project home page,
effectively treating the git service as their web hosting provider.
So on this count we considered that you meet the requirements.

Thanks for your enquiry and we look forward to hearing from you again
when your project is more mature.

If you think it desirable to have predisclosure list membership in
place before a formal release, we would welcome a renewed application
even before you declare the system suitable for real-world use.

(on behalf of the Xen Project Security Team.)

Predisclosure-applications mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.