[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [DRAFT] Coverity Access Policy



On Wed, Sep 25, 2013 at 03:56:55PM +0100, Ian Campbell wrote:
> On Wed, 2013-09-25 at 10:26 -0400, Konrad Rzeszutek Wilk wrote:
> > On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote:
> > > On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote:
> > > > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote:
> > > > > I've tried to codify some of the ideas put forward in the previous
> > > > > thread and round out the proposal with some practicalities.
> > > > > 
> > > > > I was undecided about requiring unanimity (i.e no objections from a
> > > > > maintainer) rather than just consensus. Any thoughts on that? A (well
> > > > > reasoned) objection should carry a fair bit of weight under these
> > > > > circumstances I think.
> > > > > 
> > > > > 8<--------------------------------
> > > > > 
> > > > > The Xen Project is registered with the "Coverity Scan" service[0]
> > > > > which applies Coverity's static analyser to the Open Source
> > > > > projects. The tool can and does find flaws in the source code which
> > > > > can include security issues.
> > > > > 
> > > > > Triaging and proposing solutions for the flaws found by Coverity is a
> > > > > useful way in which Community members can contribute to the Xen
> > > > > Project. However because the service may discover security issues and
> > > > > the Xen Project practices responsible disclosure as described in "Xen
> > > > > Security Problem Response Process"[1] the full database of issues
> > > > > cannot simply be made public.
> > > > > 
> > > > > Members of the community may request access to the Coverity database
> > > > > under the condition that for any security issues discovered, they:
> > > > > 
> > > > >  * agree to follow the security response process[1].
> > > > >  * undertake to report security issues discovered to the security team
> > > > >    (security@xxxxxxx) within 3 days of discovery.
> > > > >  * waive their right to select the disclosure time line. Discoveries
> > > > >    will follow the default time lines given in the policy.
> > > > >  * agree to not disclose any issue discovered other than to the
> > > > >    security team, unless this has been approved by the security team.
> > > > 
> > > > Perhaps that sentence above could be changed to:
> > > > 
> > > >  * agree to disclose issues discovered to the security team. Unless the
> > > >    security team has given approval to publicily disclose it.
> > > 
> > > I don't think this wording quite so clearly excludes telling your
> > > friends/blackhats/people in the pub.
> > > 
> > > I prefer my original wording.
> > 
> > Perhaps it is me having an English as a secondary language but I had
> > a rough time understanding 'not', and 'unless' in the sentence.
> > It made it much easier to understand when I flipped it.
> > 
> > Maybe this:
> >   * agree to disclose the issues discovered ONLY to the security team.
> >     Unless the security team has given approval to publicily disclose it.
> 
> My issue with your wording was with "publicly".
> 
> How about:
>   * agree to disclose the issues discovered ONLY to the security team 
>     and not to any other party.
> 
> If so I'd move it to be the bullet after "undertake to report".
> 
> We can leave out the "unless approved bit", we will deal with that on a
> case by case basis.

I like that. Thank you!
> 
> Ian.
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.