[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

Lars Kurth writes ("Re: [Xen-devel] Security policy ambiguities - XSA-108 
process post-mortem"):
> On 8 Oct 2014, at 16:06, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> > My view is that the policy should be clarified to permit deployment
> > during embargo.  I see no practical reason for preventing it.  
> I agree. If we didnât allow deployment during an embargo a lot more
> users would be at risk.
> However, in this context we do need to look at a number of questions:
> a) Risk of someone reverse engineering the vulnerability during
> deployment.

This is what my caveat is intended to address.

> b) GPL (or license) compliance - this may be a non-issue, but I
> would like to get some advice on it.

Feel free to get advice but I can assure you that this is a

> In the case of XSA 108 both were not an issue, because the hypervisor is not 
> accessible by a user of a cloud provider.
> However, if the vulnerability had been in another component this may be 
> different.

If the vulnerability were in a component that were distributed to the
users then 1. the GPL would be engaged 2. my caveat would be violated.

> >  List members who are service providers may deploy fixed versions
> >  during the embargo, PROVIDED THAT any action taken by the service
> >  provider gives no indication (to their users or anyone else) as to
> >  the nature of the vulnerability.
> I think this does text does not address a) and b)

It may be that this wording should be improved since obviously it
isn't clear enough.

> >  The Security Team has no discretion to accept applications which do
> >  not provide all of the information required above.
> This is a good list.
> I do think we should test this though to make sure it actually works. I think 
> there are a few areas which may be ambiguous or not clear enough.

It might be worth looking at constructing some some hypothetical or
historical applications and judging them against these criteria.

> I also think we do need to address websites in non-english languages
> would be handled. Of course we do not want to discriminate.

So far, what the security team have done is use online machine
translation services.  That seems to have been sufficient so far.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.