NixOS would like to apply for the Xen Project Hypervisor Pre-disclosure List

["Fernando Rodrigues" <xsa@xxxxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Xen Project Security Team,

I am writing on behalf of the NixOS Steering Committee and the Nixpkgs Xen
Maintainers. NixOS is a Linux distribution based on the Nix Package Manager,
and uses the Nixpkgs Package Collection, which is currently the single largest
software repository out of all Linux distributions.

We can be found at https://nixos.org, where users can download NixOS and set
the virtualisation.xen.enable option to true in their system configuration in
order to begin using NixOS as a Domain 0. We believe we fit the acceptance
criteria as a distributor of an operating system with Xen support.

As evidence of our public distribution, we provide these packages:
https://search.nixos.org/packages?channel=unstable&size=4&buckets={"package_attr_set"%3A["No%20package%20set"]%2C"package_maintainers_set"%3A["Fernando%20Rodrigues"]}&sort=relevance&query=xen
And the accompanying system configuration options:
https://search.nixos.org/options?channel=unstable&size=36&sort=alpha_asc&query=virtualisation.xen.%2A

The Xen Derivation (also known as a Nix Package Recipe) is expressed through the
Nix Programming Language here:
https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support/xen.
Since the new Xen maintainers stepped up, this part of the Nixpkgs monorepo has
been very active!

The Xen Derivation is maintained by the Nixpkgs Xen Maintainers Team, described
at https://nixos.org/community/teams/xen, where the current list of maintainers
can be found. The three current maintainers will keep the private PGP key that
decrypts embargoed XSAs. No one else in NixOS will have access to the mailing 
list.

NixOS has a long history of responding to security issues. The xsa@xxxxxxxxx
email is used exclusively to receive embargoed XSAs. For any Nix and
NixOS-specific vulnerabilities, users can report their findings to the NixOS
Security Team, described at https://nixos.org/community/teams/security, using
PGP-encrypted mail. If any Xen-specific issues are reported to the NixOS
Security Team, they will forward the information to the Xen Maintainers Team,
which will notify upstream Xen if the issue lies in hypervisor's sources, and
not in our downstream packaging.

NixOS has a decentralised maintainership structure, so XSAs would be reviewed
by the maintainers listed in the Xen Maintainers Team and the Security Team
would only delegate their trust to the three Xen maintainers.
The Xen Maintainers Team will notify the Xen Project and rotate the 
xsa@xxxxxxxxx
PGP key in the unlikely event that a maintainer leaves or the key becomes 
compromised.

We reiterate that the NixOS project concurs with the Xen Project Pre-disclosure 
Policy
and vows to preserve the confidentiality of embargoed patches until the public
disclosure date. We plan to use the embargo period to internally test the
patches and ascertain that they will not break our distribution of Xen. Once
the embargo ends, one of the members of the Nixpkgs Xen Maintainers Team will
open a public pull request on our Git forge with the changes created during the
embargo period. Nothing will be pushed to the open Internet before the embargo
period has ended, and the patches have been merged into the upstream Xen tree.

We assert that we are subscribing to the Pre-disclosure List under the e-mail
address xsa@xxxxxxxxx and the attached PGP key's fingerprint is DD47 CA6C 1907 
FD30 6A05  93C5 237B C92C 3D28 7674.

Appreciatively yours,

Fernando Rodrigues;
On behalf of NixOS.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdR8psGQf9MGoFk8Uje8ksPSh2dAUCZ0dslwAKCRAje8ksPSh2
dMZ7AP482px+jCg1XTwdDO+C1UOchWDz59NlrAxQykwktloJKwEA4pabRYhyV0XF
utWfpvWH9ZPtmxgS7J5zric6F2fOiAA=
=nVkH
-----END PGP SIGNATURE-----

Attachment: NixOS: Xen Security Advisory Encryption Key.asc
Description: Text document