[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem



Hi all,
I am assuming this question is in effect resolved. The proposed (and agreed) 
text basically states that security advisories state whether people will be 
allowed to deploy. The underlying assumption is that usually this is the case, 
unless there is a very good reason not to. How the security team handles these 
does not really need to be codified and could be based on whether the 
deployment would allow reverse engineering the issue (this would be very rare) 
and thus put everyone at risk, the discoverer stating that he/she not wanting a 
deployment, or any other reasons. 
Regards
Lars

> On 19 Jan 2015, at 20:36, James McKenzie <james.mckenzie@xxxxxxxxxxx> wrote:
> 
> On 29/10/14 13:27, James Bulpin wrote:
>> George Dunlap writes ("Security policy ambiguities - XSA-108 process 
>> post-mortem"):
>>> [snip]
>>> 
>>> As far as I can tell we basically have the following options:
>>> 
>>> 1. Never allow people to deploy during the embargo period.
>>> 
>>> 2. Always allow people to deploy during the embargo period.
>>> 
>>> 3. Have the security team attempt to evaluate the risk.
>>> 
>>> 4. Have individual cloud operators evaluate the risk.
>>> 
>>> This seems like a recipe for disaster.
> 
> 
> 1 and 3 seem like a recipe for disaster as organizations and individual people
> who have become aware of issues may have legal and other obligations to their
> users, it would also add a fairly strong incentive for a large operator not
> to share any issues that they, or a contractor, had found until they had
> completed a mitigation.
> 
> Perhaps:
> 
> 5) Have the security team discuss with the discoverer if fixes should be
> permitted during the embargo period before the discovery is announced to
> the list.
> 
> J.
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.