[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: James Bulpin <James.Bulpin@xxxxxxxxxx>
  • Date: Wed, 29 Oct 2014 13:27:51 +0000
  • Accept-language: en-GB, en-US
  • Delivery-date: Wed, 29 Oct 2014 13:29:59 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Thread-index: AQHP5Jk1jfoLLtqstkWr3lUsWqqWAZxHJt9w
  • Thread-topic: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

Jan Beulich writes ("Security policy ambiguities - XSA-108 process 
> [snip]
> I can see the benefits of allowing sharing, but I can also see
> downsides: Along with the set of pre-disclosure list members
> growing, allowing an increased amount of interchange
> (including binaries) increases the risk of a leak. And since
> us monitoring what is being exchanged would not be workable
> in my opinion, it is also clear that it would be purely incidental
> for us (or anyone else) to notice such a leak.

It's a risk but I think the benefit of having far fewer vulnerable
systems in production by the time the vulnerability is publically
disclosed outweighs the risk. Today we have a 100% probability that
there will be large numbers of vulnerable systems the day the
embargo is lifted.
> > One reason for permitting this is that we want fairness between
> > service providers who use their own versions of Xen, and ones who use
> > a version from a software provider.  Both kinds of service provider
> > should be able to test the fix during the embargo.
> I'm not sure about this fairness aspect. Yes, distro consumers can
> apply to become a list member on their own (which I personally
> dislike, but that's what the community wanted last time round).
> But they're then still at the mercy of that distro provider, i.e. by
> the time fixed packages get produced and internally tested, the
> embargo may be over. In particular this would seem to increase
> fairness only between equal size distro providers; smaller ones
> may get further disadvantage from that due to their more limited
> bandwidth of producing/testing/distributing fixes.
> Therefore I would favor only first party consumers to be eligible
> to join the list, and no early deployments being permitted at all.

I view fairness here as providing a level playing field for all
concerned. If we do allow sharing then it doesn't mandate that
distros will provide fixes ahead of the embargo being lifted but
allows them to do so if they wish. Each distro can chose its own
policy without artificial constraint.


James Bulpin
Sr. Director, Technology, XenServer/Networking, Cloud & Service Provider Group
Citrix Systems Inc.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.