[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] SecureDrop / Freedom of the Press Foundation request

  • To: Ian Jackson <ian.jackson@xxxxxxxxxx>
  • From: Jennifer Helsby <jen@freedom.press>
  • Date: Fri, 3 Jan 2020 11:59:35 -0500
  • Autocrypt: addr=jen@freedom.press; prefer-encrypt=mutual; keydata= mQINBFeRulQBEADjusVDkRxz1fT3rYRfj0Ktlvh3SeqKC3OjUFDI9/morqPDXCxCVm9dWvRJ qQnGWix+7cBwp2d96CoJrchxXojNLPgZ57C0EtXNu1i3SMYrppSD6hT/ZdGlHUONgVO4rfV5 gOvKHPhiWf+omD72VtfiTV3W2KG2l6v/IRP+kjcKj09A9PqlO49eK95cP3ErzbnGWR9UNA0r RDgf9nX0RlQXgTTY9dMCdD2HOUPXVUnetenokvuBC3B42l2LkTx76poKcyxf3LsAY6D7e4GU NXhsW65Maj0KM49dtDcMh7bP7fLYcxBj3mx+Y5xpzgzqUqYjEV6ytxLCTYdEgV3W3+9pPzDH UVk0FTZcfpRVJEF1a0yIkO9lZzxF3KojW8ZV1srLpeXiyhzaKqR326lx+ek9gKktfwiioWKb 5IWbGGCgncXP9QS4xkIZqJufY4cVULTyDC4/AG4Rxlp1+10OzoMhI4CAyq0tVYXtfpN4Qagw ZJstqZWFu/1W7EVr1cU4TMYkMwh95mOZi5rkq8gr449SzGC8xYL57BBFss3PTwmY/RKVQcXo DByOe/uVhDj7KvuEUh/bh4NOhEGIs7m647PTaKrmm9l6wvADhUQrvIyE39Jw9WwE/vznr4s6 kLjFv7zGE7jh9WHkC7mcf+9dqR80XjoKaOqHWtxGoxcNPa0VJQARAQABtCNKZW5uaWZlciBI ZWxzYnkgPGplbkBmcmVlZG9tLnByZXNzPokCNwQTAQoAIQUCV5G6VAIbAQULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAAKCRDaBbfFKrrzNEKRD/9u1EmsircQzCy92F81aX2Ptu9II40Z1pbA 4qryP8tQTM4biMy1ayjpiFjovYZa+vrZ0hVTSuin5ZQ0dI73tBCi5FSycsowXALvEIeApuVX JKaC/7gnO4QNFhDHiW+M4kORllFgtex6IuSOzcUIT+oqGHS8eB8cl1N9lLOMU5/PCo50IoU9 WrrmF0f9EKhlkD5snDQy20gc+J+ukUg7cNpSPVaFAXZs/0CIvvuMv3tp2/VqlF5x1xW7Q8I5 JUAnPSyQ4pWOlnfbEwsIjyagDicV940iOxTL8vq92vKLFOw/EmNYUs89ebH3WNfhYAWiMtOL o0hgc1qNsCPdovASZ0skBGMzmT+Nvfgb4VYuLMl5/tm9etgcdv+hb8Oo6zxUwQLETKiPiWkZ tzUEczMAw8pz0j4h2Y2K6+ryXJTbqcwwZY2DoYwrENWkd+TdPHYgvinPplmiHH7wcl7oKoy5 oGw7knwkgB7jO7F2R7qUhPg1I0E+fiXCwStTJ0yeXqoNvKwXW22460Tjs3vl21hZo6sr8hF8 2xZdfbzprwejJ2T1pJbya6YT+nv4fH1p1wc8ooeOgWKjVWtCig6wojSiKQ4AjKa4RVL9/8gX q+5u7NSxUxOMqfTNWbxR3GDBZjxBA/o1XLIxnRAlfwD8c3UrhRC77P6HrP5wSYZF+/i5ZJds O7kCDQRXkbr/ARAAl+R3VpHh3Q5v6Bf8ZP6zLS693A0AseJPPo4wwCOfCvRZWLIVgrdkHuK3 vSjafLSsL1m67FUb6AXHmE4YWEp/gr0mj25JSSMCegXfh+wbyhKzmzZL6uiUKuJug8uIBZRp uDTAfV34ssZ0CL8aHsntb/RFydANimOV+qLwV/HS4NEPVicnmYkyOhvJ2xZq7VHiTm6lwjyZ KxcFeOvWIrrKmc4fHQYyiEExH7xaBTDOSmlXTY5Ae5waA1/tS5SV3UixoRiHb6giUusIJsDV 4PHnyAYiuBlk7tjP9yAHXyvGPA6XO9TBWuycRqgZ1Tm06prB460RpNEd9EY4Vr8Bugs6YMbu ldxJwOL5n46l0PdaMhrBNyJPwt4p5cxcm8f4kt8QvLh/t/Jh2oU2gaNuIoQXl1NUBdwcMoDb owuEIUFk1IecQt8v38INFHWJ0r7VrJzreG0OWcUSwxGPe4FOkdmwNgmRCCLC74ThGegXVJNw njqk3Ean8bPcOROmMyEHEJ8j+wxkTMfQtCcw4CQlFDcNjMrGV6iBncI0y2Fjg5TvkpC0rqSQ o+PgfcSppXIY9TedfjphhVihM7isMg9icjEs++kSvaM5ajzHbOEZe0J3lAv5L9bxZR38zzF7 H8ofFQRPG6zzIE+X/XRBl5pIRz8ERQaSuwyquE5HlFWXjX7R5L0AEQEAAYkCJQQYAQoADwIb DAUCXTdcpgUJC0k8IwAKCRDaBbfFKrrzNGnHD/95czk6B5qeR8+KrR5AVrSUk7tBorrXK4ze 0Gr30cAPmLtBjsWBbPuHZFXpzijCoVrRCNBmlMb0p7PJudh90Voi+Ggse80WeXsYu2bjDCFv cTmaFXgA8gGZ0pnMOnz8ltc7tsZrPiQw457zQO97v18h02Ka5JkZNo/BbfN5fRuVU3T14GR4 ELg4tRFVACejyjWsn+pwN5w2s0cbu3KUBvySoFSo4CATmIiXCmoUtHAc9/pBebzSo40dxcSY v3kpCx/F4OXpai2YECeUXA6TlOlVhVm7joX00FThQgi728h3rdit4CXSlaz/I4WxXvSzgDe3 kiFxN+/2w2ZQafcjdkuuiQ2yeJPQds/SvNPbbvEnBM9aF2Rqt/IYKsGKPg8QuEvOFfhyzFa1 7ybngTGaLta4MNj1FOWSEvjxLTVXiuRBamM9IL0wmfec5KUhJU/IN/+URUeW0W+lQ6m1+M4s D2mx0hvEYe8lx3o4lks6Bbm/dWqnUwdsA2cWn0R9dnMt7b8b997XaRXy528eQ3XnBEs+sMVm pX4q1eiibur6OZ2zM8au29Naea5+1Y0AgJQRV8eYVwgYmRdjHMyVDCJsdnDp8C+1iZReZclu aKSWP2olYdn5v0OclneI5iN67mANUY+STQS5H/TNtQyhbHkGnszyzkjKygVIgWw/J9GJ/5w3 SLkCDQRXkbqoARAAvguQQmy0DyZOmZXfFYNfMm95bPPZOUpvvjBARrh2IGPlMl3xtserNMje lFYkkRRsACtxqRxq3TTSJpKI0vvpNLLpqN6shwNUQ3qz2yIAvW+aEKVi7HLOWv71JSQVbmlk Zk3UghGP/0iIfurB8m8QmP97oOdsWBiRTr9Wp5tYUjUz/QlNOt3sIYTBE2wnu2f/ivpyRTUm LuNr0rbvSsCu/i1CPul9vj01YOXBpIUeQlCMK1uyOwPvEOcaRxeYICOVginEY6UDUMNRJZth M8+vEVAdWCqbI1CLWF6PbWshhhyqbuVXmZWOPcVzQfW7k+bsysaAteTu8QFCJT9Y5wG8QM+D 0IS+I7ChKmKN2VrAlHr4irKwvxhWVOIXaIZr1GLw8bGWUTwjZOi/R+8V+WCRCwlRcR72Kklm 8JyBCGoeA9ML+tS9AHl/c9JIdlsTvGMsMaMPV41rhta8jx0z+OlpnytRbcmtUFYrfLGfOScs +v2BFrYr45DZVB2vvooRBRF9qPq8EsSFHauxoibWjamc0mHH4DEG0yVwuHh4bJLi3pUAAl1d +p8YyJoQhPjRrrNSjWJBJw7YbgH785EeU2JwMtGohhMDNxMwt61fYxS7Nj2yjjyD9fBJLOBQ 5JztwT1AdAgWIjqRHpaPt5rxWUj8QuCIbrIK0B6sMLfYqQHA7v0AEQEAAYkERAQYAQoADwIb AgUCXTdcvAUJC0k8kAIpwV0gBBkBCgAGBQJXkbqoAAoJELB+gGVqzZUBKvkP/Rxa9NSIlw/l 6tRfaymO2jynqJe850gSGWBVnxVWiNGw8PhlqfStJdROIwOQ77axdpRVD3b28QL6Xy1hFD2S 9QpZ+4HnnNrLHKvkVOe3+9+0RBNEpNpnloeMqT3QqEqEP4U8EAOXTbzI6lZSAOJk4mO/E8rL IBq9MzrHmOuwbk6Zg7qudHNWuhCT4ab01ue2CR5tSZf0eQwVsRhVz0ZIRRceFMHtNf2hUHOx Z8HtaKnQXqRTQXV+IA5vPnBfwFih+ZvRCvsqNFOrFk/oU3KhQ2Xy3bO4T4okiMXf6ax1+cEN 92j9h8Z5KFDWl7IEtWYLDRZNv10IWpN7T0USDthreD9SlP6iK91Vie+f22lF8o6/jbPL+B/r KIvBCwfz6AlKNGlOyMvCCTk7dAZSiq55CNSLgoRh/r3WxgfAJ3A0ivTclwnIqFuskHdRB8we UaPdZ0fEHbwuMW4K5SoDzRVaadZqzOcwlugCasqYQ3ZmQQBkUcIxc1tJWnyDm252lFiPmxmA 3HZDbBZ58fIQ/SkDyIjHikfUhcqVsxXpFAKRxkIsNfTzCueWg1boBM1scmOPrv7nTF8MNLeD 7/ID1IqRXjL8+ea0cTo0qV4nCK3VrlKdv+clipHxXc2a7yLIelVkrwMEFgD9cFAt3tNs1j6O Pvs3dLypqg7h9miSrsBJJYOeCRDaBbfFKrrzNF1FD/9iBieWFr8lRd3XFFfHwCiPUCoEGCkl u3edHj2CRjkwTntdkquGlpNwF+nz1IpWKgCkRfKIBIDmwrCZLTJ9YfTV1aS/8HLS5V78hbMl VpcsEaPVf9HblGjcIIf0QiIdLe9abw7wGrJkZXEGU4ebDP++eVijEgTQyVDCUPe4FpvPZ2Ql jOCwjQ1esCgXyx5trWlKICd/qLQaJEkZlV1oytfNFAdhHPket3SsD9X6nis772mC6AIDTpNs tLc36GVPGJu8aXQTy+WC+ZCaaCcU1ieEQ74Hrb7IjwVh7WIhkgn4+aDx91YDWPYNIPhAuPAX uAI9gFtm67+Z3qaYLkVaTJEg0BRkmGVS3W+JpycMl2aYtNBL3XACx+83qyNdqlg3FuI3FJSL KI/CA+tCNlTvjLIyshj6q2BUUS4XoWMigQ/79wqM1RZ1ZFjTk4LRWd3GJI5KWSSdNb2MqL7l MZZRpQYdJTB/ndc84zVk6M8qoSJtz5o3GCrniBabmrrWqcxcfxJv201c7GIo4mSbLiOgWYdy sx1AFaR5F98fdv2mNE6CrMgtM1wV4oRu0P3rD1/RrZ9T/xhiUc2dg3rgQMUCJMVibNVurRFN oCf1T0JsTTrO8A/xuyesgTXQFMcL21LYSr1JBSOCZbrAegVcp96Z8Ip3YBARPXEkgbFk0kjW 6FGVFg==
  • Cc: "predisclosure-applications@xxxxxxxxxxxxxxxxxxxx" <predisclosure-applications@xxxxxxxxxxxxxxxxxxxx>, "security@freedom.press" <security@freedom.press>, security@xxxxxxxxxxxxxx
  • Delivery-date: Fri, 03 Jan 2020 17:03:48 +0000
  • List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>
  • Openpgp: preference=signencrypt
On 1/3/20 7:28 AM, Ian Jackson wrote:

>> The workstation at https://github.com/freedomofpress/securedrop-workstation 
>> requires the use of Qubes/Xen.
> this software is not "released" in the appropriate sense.  The page
> itself says:
>
>   IMPORTANT: This project is in alpha, has known bugs and shortcomings,
>   and should not be used in production environments.
>
> and gives a link to a known set of existing security issues.  It
> doesn't seem to us that you are in a position to immimently remove
> that caveat.  When you make (or are about to make) a release that
> might be used in production (although perhaps only by advanced users
> who will tolerate bugs - a beta, you might say) we think you will
> qualify.
Thanks for the thoughtful response. We're applying now as we'll be
beginning production use with a few news organizations in February as
part of a beta, but in light of this we'll hold off for now and will
reapply then (when this caveat/note will be removed).
> As a matter of transparency we also wanted in this mail (which is
> published on the list) to discuss two other issues which arose.
>
> Firstly, it seemed to us unclear whether you were distributing a
> modified version of QubesOS - and how relevant this was to whether you
> qualify under the Xen Project Policy.  We reviewed your
> securedrop-workstation repository.  It seems to mostly be a
> configuration management setup, which assembles a system (including
> Xen components) on your users' systems.  We felt that this was
> sufficient for you to qualify.  

Yep this is correct.

Thanks again for the consideration.

More soon,

Jen

-- 
Jennifer Helsby, Ph.D.
SecureDrop Lead Developer
Freedom of the Press Foundation
<jen@freedom.press>
GnuPG: F48E CC56 4980 83F1 80DF F943 DA05 B7C5 2ABA F334

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/predisclosure-applications

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.