[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

>>> On 21.10.14 at 16:31, <msw@xxxxxxxxx> wrote:
> On this point in particular, back in 2012 [1] I suggested that all
> membership requests should be discussed in public on a community email
> list like xen-devel, or another email list to avoid noise. The Xen
> Project Security Team shouldn't have to evaluate petitions for
> membership while managing an embargoed issue. I brought this up again
> in 2013 [2] regarding the Coverity process.
I don’t have an issue with such an approach, in particular as this is a proven 
model elsewhere. I would like to understand though how the oss-security process 
works in practice. Aka how are decisions made, who can join the list, how are 
conflicts resolved, etc. It seems to me that such a process would be more 
transparent and also fair. In particular, if we have clear criteria as to what 
needs to be in place to be eligible.
It seems to me that if we do this, we may need to look at the Project 
Governance as well, as having a stake in decision making requires maintainer 
status today. The existing decision making process could easily be used to 
discuss access related to Coverity. It is not entirely clear to me whether 
maintainers should have to carry the burden of making decisions on who can join 
the pre-disclosure list.
Do you expect that maintainers would decide who can join the pre-disclosure 
list after a public discussion? 
Or is there another group of community members who have earned some kind of 
credibility to make decisions? And if so, who are they and how is credibility 
earned? I am assuming that oss-security has developed its own group of 
distinguished members.
Also, we would need to ensure that requests are not dropped and that the 
required admin works (adding entities who qualify to the pre-disclosure list as 
well as adding them to the website).
Best Regards

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.