Xen project Mailing List

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>

Date: Mon, 3 Nov 2014 11:37:23 +0000

Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Delivery-date: Mon, 03 Nov 2014 11:37:27 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, Oct 31, 2014 at 10:40 PM, Matt Wilson <msw@xxxxxxxxx> wrote: > On Thu, Oct 30, 2014 at 11:58:30AM +0000, Ian Jackson wrote: > > [...] > >> I think that people who want to be on the predisclosure list should >> make matters easy for the security team. I think it therefore is only >> fair to say that an application might be delayed if the team member >> who happens to deal with the application can't conveniently access the >> evidence that the applicant is supposed to provide. > > I think that we should reduce any burden on the security team by > making this a community decision that is discussed in public, rather > than something that is handled exclusively in a closed manner as it is > today. This way others who are active community participants can help > with the decision making process can do the investigation and weigh in > on the risk/benefit tradeoff to the security process and the > project. See Message-ID: > <20141021143053.GA22864@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > or [1] if you are willing to visit a URL. ;-) > > There's been a bit of talk about "delay" and so on. I'd rather not set > expectations on how long the processing a petition to be added to the > predisclosure list should take. Building community consensus takes > time, just as it does for other activities like getting a patch > applied. I don't think that this process needs to be different. We might remove some of the (potential) pressure to rush things by saying that once approved, new members will not receive information about *currently embargoed* disclosures, but only about *future* disclosures. I.e., the rush of people for XSA-108 wouldn't be in a rush because (by policy) they wouldn't have been eligible to receive XSA-108 anyway. But perhaps that would be too unpopular to actually implement... -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.