Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

[Lars Kurth <lars.kurth.xen@xxxxxxxxx>]

On 5 Nov 2014, at 11:17, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:

> On Fri, 2014-10-31 at 15:40 -0700, Matt Wilson wrote:
>> I think that we should reduce any burden on the security team by
>> making this a community decision that is discussed in public, rather
>> than something that is handled exclusively in a closed manner as it is
>> today. This way others who are active community participants can help
>> with the decision making process can do the investigation and weigh in
>> on the risk/benefit tradeoff to the security process and the
>> project. See Message-ID: 
>> <20141021143053.GA22864@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> or [1] if you are willing to visit a URL. ;-)
>> 
>> There's been a bit of talk about "delay" and so on. I'd rather not set
>> expectations on how long the processing a petition to be added to the
>> predisclosure list should take. Building community consensus takes
>> time, just as it does for
> 
> I think regardless of who is processing the applications what is more
> important is to have a concrete set of *objective* criteria. Anyone who
> demonstrates that they meet those criteria must be allowed to join.

I don't think that having applications discussed and processed on a dedicated 
public list and objective criteria are mutually exclusive. The two may provide 
a good balance, and allow for some flexibility in ambiguous cases. 

In particular if we either have a strong owner or follow the "two +1 with no 
-1" model of a set of decision makers who earned that status over time. More or 
less what we use for access to Coverity Scan output. 

Regards
Lars
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel