[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

  • To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
  • From: James Bulpin <James.Bulpin@xxxxxxxxxx>
  • Date: Wed, 29 Oct 2014 13:27:58 +0000
  • Accept-language: en-GB, en-US
  • Delivery-date: Wed, 29 Oct 2014 13:29:59 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Thread-index: AQHP7k9iFc0tOkXKR0arq96ia6NPYJxHFpow
  • Thread-topic: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

Bastian Blank writes ("Security policy ambiguities - XSA-108 process 
> [snip]
> >   List members who are service providers may deploy fixed versions
> >   during the embargo, PROVIDED THAT any action taken by the service
> >   provider gives no indication (to their users or anyone else) as to
> >   the nature of the vulnerability.
> Why this constraint to "who are service providers"?


We already have a definition of eligibility for membership of the
pre-disclosure list and therefore I don't think it is necessary or
desirable to further constrain specific privileges to subsets of the
list members.


James Bulpin
Sr. Director, Technology, XenServer/Networking, Cloud & Service Provider Group
Citrix Systems Inc.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.