Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

[George Dunlap <George.Dunlap@xxxxxxxxxxxxx>]

On Mon, Nov 10, 2014 at 5:29 PM, Ian Jackson
<ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Matt Wilson writes ("Re: [Xen-devel] Security policy ambiguities - XSA-108 
> process post-mortem"):
>> On this point in particular, back in 2012 [1] I suggested that all
>> membership requests should be discussed in public on a community email
>> list like xen-devel, or another email list to avoid noise. The Xen
>> Project Security Team shouldn't have to evaluate petitions for
>> membership while managing an embargoed issue. I brought this up again
>> in 2013 [2] regarding the Coverity process.
>
> I agree that publishing applications, and the team's responses, would
> be a jolly good idea.  I am 100% opposed, though, to any kind of
> non-objective `community consensus' process.
>
> Such a system would (a) be unworkable in practice, because no-one
> really cares about this kind of tedious makework, and (b) at serious
> risk of favouritism (or its opposite).

"It's opposite" meaning, "We all hate company X, so let's not let them
join the list"?

>> This process works quite well for the distros email list, where
>> requests for membership requests are discussion on oss-security (a
>> public list). [...]
>
> I don't want to criticise another community's process, but I strongly
> feel that our arrangements should have broad eligibility based on
> objective criteria.

Having black-and-white rules is nice and simple and safe; but in most
reasonably "rich" domains, it's very difficult to come up with simple,
objective criteria that cover all situations satisfactorily.  This is
true in morality and law; my guess is that it's true here as well.

But I'd be willing to take a look at such a list; maybe I'm wrong
about how objective we can make things. :-)

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel