Xen project Mailing List

Re: [Xen-devel] Security vulnerability process

To: Mike Bursell <mike.bursell@xxxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Thu, 25 Aug 2011 12:20:25 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 25 Aug 2011 04:33:03 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Mike Bursell writes ("[Xen-devel] Security vulnerability process"): > Proposed changes > i. extend the standard embargo period from one week to two to allow more > time for response/roll-out. Thanks for your comments. No-one seems to have objected to this. > ii. allow the standard initial week to flex in the case that a fix is > not immediately found. I agree with Ian Campbell's comment about this. The wording: As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be: makes it clear that this schedule is definitely subject to variation depending on the circumstances. Would you agree ? > iii. allow the standard embargo period to be extended, by consensus of > those on the predisclosure list, moderated by the Board, to a longer > period. This is to deal with cases where the vulnerability is > particularly severe and/or the fixes are particularly onerous to roll > out. I don't think this idea is really going to work. Firstly, the predisclosure list is an announcement list, not a discussion list. While the list of organisations will be published, in general the email addresses on it are busy security contact desks who do not want to be involved in extended discussions. Secondly, I think it will in practice prove difficult to get consensus on an extension - given that the predisclosure list contains some organisations who have expectations of a very short timescale and who want to fix the problem for their users ASAP. So such a provision wouldn't have much effect other than people sending extra emails. And of course as Ian Campbell says we are still bound by the views of the discoverer. Finally, even if these practical objections could be dealt with, it seems to me to be to be questionable to put the predisclosure list members in charge of the decision about when the rest of the users find out. There is a clear conflict of interest there. So for those reasons I'm afraid I think it wouldn't be appropriate to make that change. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.