|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Coverity + XenProject + Process?
On Sat, Aug 31, 2013 at 10:36:40AM +0100, Ian Campbell wrote: > On Fri, 2013-08-30 at 11:00 -0400, Konrad Rzeszutek Wilk wrote: [...] > > But I am not sure who should have the power to veto/accept > > volunteers? Should security@xxxxxxx do that? Or should folks > > at Xen Devel mailing list be involved in it as well? > > I'd be happier if this was done publicly. Since there is no security > sensitive information at this point there is no reason for it to be > private AFAICT. Maybe the social awkwardness of having people be > publicly turned down is important though? +1 The "discuss in public" approach seems to work for the "distros" mailing list. Membership requests are discussed in the public on the "oss-security" mailing list. [1] > Wherever they are made I think we need requests to include a short bio > of the person, covering who they are, what their security background is > and why they are interested specifically in the xen project, etc. To aid > us in making a decision as to whether we should trust them. > > The request should be signed with a PGP key that is part of the WoT > strong set (i.e. reachable from mine and your keys ). > > We could just go with a rule that people need to already be known to the > Xen community (e.g. have submitted a/some patch(es)), but I think there > are plenty of security researchers out there who wouldn't otherwise work > on Xen but might be valuable in this context. This all sounds reasonable to me. --msw [1] http://oss-security.openwall.org/wiki/mailing-lists/distros _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |