Xen project Mailing List

Re: NixOS would like to apply for the Xen Project Hypervisor Pre-disclosure List

To: xsa@xxxxxxxxx, predisclosure-applications@xxxxxxxxxxxxxxxxxxxx

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 5 Dec 2024 17:09:05 +0000

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Delivery-date: Thu, 05 Dec 2024 17:17:16 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

On 29/11/2024 10:08 pm, Fernando Rodrigues wrote: > Dear Xen Project Security Team, > > I am writing on behalf of the NixOS Steering Committee and the Nixpkgs Xen > Maintainers. NixOS is a Linux distribution based on the Nix Package > Manager, > and uses the Nixpkgs Package Collection, which is currently the single > largest > software repository out of all Linux distributions. > > We can be found at https://nixos.org, where users can download NixOS > and set > the virtualisation.xen.enable option to true in their system > configuration in > order to begin using NixOS as a Domain 0. We believe we fit the acceptance > criteria as a distributor of an operating system with Xen support. > > As evidence of our public distribution, we provide these packages: > https://search.nixos.org/packages?channel=unstable&size=4&buckets={"package_attr_set"%3A["No%20package%20set"]%2C"package_maintainers_set"%3A["Fernando%20Rodrigues"]}&sort=relevance&query=xen > And the accompanying system configuration options: > https://search.nixos.org/options?channel=unstable&size=36&sort=alpha_asc&query=virtualisation.xen.%2A > > The Xen Derivation (also known as a Nix Package Recipe) is expressed > through the > Nix Programming Language here: > https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support/xen. > Since the new Xen maintainers stepped up, this part of the Nixpkgs > monorepo has > been very active! > > The Xen Derivation is maintained by the Nixpkgs Xen Maintainers Team, > described > at https://nixos.org/community/teams/xen, where the current list of > maintainers > can be found. The three current maintainers will keep the private PGP > key that > decrypts embargoed XSAs. No one else in NixOS will have access to the > mailing list. > > NixOS has a long history of responding to security issues. The > xsa@xxxxxxxxx > email is used exclusively to receive embargoed XSAs. For any Nix and > NixOS-specific vulnerabilities, users can report their findings to the > NixOS > Security Team, described at > https://nixos.org/community/teams/security, using > PGP-encrypted mail. If any Xen-specific issues are reported to the NixOS > Security Team, they will forward the information to the Xen > Maintainers Team, > which will notify upstream Xen if the issue lies in hypervisor's > sources, and > not in our downstream packaging. > > NixOS has a decentralised maintainership structure, so XSAs would be > reviewed > by the maintainers listed in the Xen Maintainers Team and the Security > Team > would only delegate their trust to the three Xen maintainers. > The Xen Maintainers Team will notify the Xen Project and rotate the > xsa@xxxxxxxxx > PGP key in the unlikely event that a maintainer leaves or the key > becomes compromised. > > We reiterate that the NixOS project concurs with the Xen Project > Pre-disclosure Policy > and vows to preserve the confidentiality of embargoed patches until > the public > disclosure date. We plan to use the embargo period to internally test the > patches and ascertain that they will not break our distribution of > Xen. Once > the embargo ends, one of the members of the Nixpkgs Xen Maintainers > Team will > open a public pull request on our Git forge with the changes created > during the > embargo period. Nothing will be pushed to the open Internet before the > embargo > period has ended, and the patches have been merged into the upstream > Xen tree. > > We assert that we are subscribing to the Pre-disclosure List under the > e-mail > address xsa@xxxxxxxxx and the attached PGP key's fingerprint is DD47 > CA6C 1907 FD30 6A05 93C5 237B C92C 3D28 7674. > > Appreciatively yours, > > Fernando Rodrigues; > On behalf of NixOS. Thankyou. Everything seems in order. We'll get your email alias added shortly. ~Andrew, on behalf of the Xen Security Team.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.