|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
>>> On 04.07.12 at 14:36, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote: > The only caveat I can think of is that it may increase the risk, > during the time between the predisclosure and the public announcement, > for those not on the list. We can basically assume that the list will > have some blackhats. If the timeframe is anywhere near what some > people have asked for (e.g., 3-4 weeks), then it might become > worthwhile for people to develop an exploit to take advantage of > people during that timeframe. This might be an acceptable cost, since > those people *could* be on the list of they wanted. Being on the list doesn't make you non-susceptible. Such an approach, imo, would need to imply permission to anyone on the list to deploy a fix as soon as it is available. But since distros can't ship binaries without also making sources available, that's a contradiction by itself. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |