[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

Hello Thomas,

Wednesday, June 27, 2012, 8:07:25 PM, you wrote:

> Hi Ian,

> Thanks for discussing this in a public way!

> On 06/20/2012 02:16 AM, Ian Jackson wrote:
>> We had one request from a public Xen cloud provider to be provided
>> with predisclosure information.  However it appeared to us that they
>> didn't meet the size threshold in the process document.
>>
>> The size threshold is of course open to discussion.
>>   
> I find the concept of "Xen Cloud provider size threshold"
> quite anti competitive. Why would a bigger provider, would
> be offered a substantial advantage over the smaller one?

> On 06/20/2012 02:16 AM, Ian Jackson wrote:
>> One particular issue here which also relates to the predisclosure
>> membership criteria, is whether large indirect consumers of Xen should
>> be on the predisclosure list in their own right.  That would allow
>> them to deploy the fix before the embargo date.  It would also allow
>> them to prepare for testing and deployment, before the fix is
>> available from their vendor (who would in this scenario also be
>> entitled to be a predisclosure list member).
>>   

> And other hosting providers not in the list? They can be hacked and die,
> while the big ones are safe?

> Why wouldn't a smaller company know? Can *I* be in the predisclosure list?
> If you reject me from such list, why? What's the procedure to be on such
> list?

I think it's all a trade-off between:
A) Informing as much stakeholders as possible about the threat
B) Not informing anyone with malicious intentions

And the assumptions that have been made are:
C) Employees of large companies have a small chance of having malicious 
intentions
D) The risk of informing someone with a malicious intention rises when more 
people are included on the list

Well while D would probably be true .. C) is indeed more questionable

It's also the question if larger companies don't break the embargo by informing 
their customers who aren't on the list, with as end result a rumor spreading in 
public.

On the other hand i see no ways to circumvent any of these, except by fixing 
the threat ASAP and keeping the embargo time as short as possible.


> On 06/20/2012 05:45 PM, George Dunlap wrote:
>> The only way this would work is if the predisclosure list consisted
>> exclusively of software providers, and specifically excluded service
>> providers.
> I agree, though you might have corner cases.

> What if you are *both* software and service provider (eg: I'm working on
> Debian and XCP, and my small company provides a hosted Xen service)?

> Cheers,

> Thomas






-- 
Best regards,
 Sander                            mailto:linux@xxxxxxxxxxxxxx


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.