[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-announce] Xen Project Security Policy Improvements: Get Involved

Dear Community Members,

The recent XSA-108 vulnerability resulted in a lot of media coverage, which 
ended up stress-testing some of our policy and security related processes. 
During the embargo period of XSA-108, the Xen Project Security Team was faced 
with some difficult questions of policy interpretation, as well as practical 
issues related to pre-disclosure list membership applications.

To ensure more clarity moving forward, the Xen Project Security Team started a 
community consultation 
(http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00976.html) to 
improve and better define the project’s Security Vulnerability Response Process 

In particular we are seeking to clarify the following elements of the policy, 
which surfaced during the embargo period of XSA-108:
* Sharing of information amongst pre-disclosure list members during an embargo 
* Deployment of patches on public systems of fixed versions of the Xen Project 
Hypervisor during the embargo period
* Service announcements to non-list-member users during an embargo period
* Clarifying criteria related to pre-disclosure list membership and making it 
easier to verify them
* Processing applications of pre-disclosure list membership during an embargo 

For more background and information read the e-mail thread on xen-devel@ called 
Security policy ambiguities – XSA-108 process post-mortem 
(http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00976.html & 
http://bugs.xenproject.org/xen/bug/44 to see the entire conversation thread in 
one place).

If you use Xen Project Software in any way, we encourage you to voice your 
thoughts to help formulate and update our security policy to ensure it meets 
the needs of our entire community. To take part in the discussion please send 
mail to xen-devel@xxxxxxxxxxxxxxxxxxxxx If you are a member of the list just 
reply to the relevant thread. If you are not a member of the mailing list and 
plan to respond to an e-mail that has already been sent you have two easy 

 * You can reply to the message via our issue tracker 
(http://bugs.xenproject.org/xen/bug/44) using the Reply to this message link at 
the top of the message; or
 * You can retrieve the mbox from the issue issue tracker, load the thread into 
your mail client and just reply.

Even if you chose not to subscribe to xen-devel@ – which you don’t have to 
participate – you may want to occasionally check the discussion thread activity 
on this thread, to ensure you are not missing any activity.

Going forward, we will collate community input and propose a revised version of 
the policy, which will be formally approved in line with Xen Project 
Governance. We have not set a specific deadline for the discussion, but aim to 
issue a revised policy within 4 weeks.

Best Regards
Xen-announce mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.