Xen project Mailing List

Re: [Xen-devel] [DRAFT] Coverity Access Policy

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Wed, 25 Sep 2013 10:26:23 -0400

Cc: Lars Kurth <lars.kurth@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 25 Sep 2013 14:26:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote: > On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote: > > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote: > > > I've tried to codify some of the ideas put forward in the previous > > > thread and round out the proposal with some practicalities. > > > > > > I was undecided about requiring unanimity (i.e no objections from a > > > maintainer) rather than just consensus. Any thoughts on that? A (well > > > reasoned) objection should carry a fair bit of weight under these > > > circumstances I think. > > > > > > 8<-------------------------------- > > > > > > The Xen Project is registered with the "Coverity Scan" service[0] > > > which applies Coverity's static analyser to the Open Source > > > projects. The tool can and does find flaws in the source code which > > > can include security issues. > > > > > > Triaging and proposing solutions for the flaws found by Coverity is a > > > useful way in which Community members can contribute to the Xen > > > Project. However because the service may discover security issues and > > > the Xen Project practices responsible disclosure as described in "Xen > > > Security Problem Response Process"[1] the full database of issues > > > cannot simply be made public. > > > > > > Members of the community may request access to the Coverity database > > > under the condition that for any security issues discovered, they: > > > > > > * agree to follow the security response process[1]. > > > * undertake to report security issues discovered to the security team > > > (security@xxxxxxx) within 3 days of discovery. > > > * waive their right to select the disclosure time line. Discoveries > > > will follow the default time lines given in the policy. > > > * agree to not disclose any issue discovered other than to the > > > security team, unless this has been approved by the security team. > > > > Perhaps that sentence above could be changed to: > > > > * agree to disclose issues discovered to the security team. Unless the > > security team has given approval to publicily disclose it. > > I don't think this wording quite so clearly excludes telling your > friends/blackhats/people in the pub. > > I prefer my original wording. Perhaps it is me having an English as a secondary language but I had a rough time understanding 'not', and 'unless' in the sentence. It made it much easier to understand when I flipped it. Maybe this: * agree to disclose the issues discovered ONLY to the security team. Unless the security team has given approval to publicily disclose it. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.