Xen project Mailing List

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

From: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

Date: Tue, 21 Oct 2014 19:20:28 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 21 Oct 2014 18:20:43 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 21.10.14 at 16:31, <msw@xxxxxxxxx> wrote: > On this point in particular, back in 2012 [1] I suggested that all > membership requests should be discussed in public on a community email > list like xen-devel, or another email list to avoid noise. The Xen > Project Security Team shouldn't have to evaluate petitions for > membership while managing an embargoed issue. I brought this up again > in 2013 [2] regarding the Coverity process. Matt, I don’t have an issue with such an approach, in particular as this is a proven model elsewhere. I would like to understand though how the oss-security process works in practice. Aka how are decisions made, who can join the list, how are conflicts resolved, etc. It seems to me that such a process would be more transparent and also fair. In particular, if we have clear criteria as to what needs to be in place to be eligible. It seems to me that if we do this, we may need to look at the Project Governance as well, as having a stake in decision making requires maintainer status today. The existing decision making process could easily be used to discuss access related to Coverity. It is not entirely clear to me whether maintainers should have to carry the burden of making decisions on who can join the pre-disclosure list. Do you expect that maintainers would decide who can join the pre-disclosure list after a public discussion? Or is there another group of community members who have earned some kind of credibility to make decisions? And if so, who are they and how is credibility earned? I am assuming that oss-security has developed its own group of distinguished members. Also, we would need to ensure that requests are not dropped and that the required admin works (adding entities who qualify to the pre-disclosure list as well as adding them to the website). Best Regards Lars _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.