[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

To: Major Hayden <major.hayden@xxxxxxxxxxxxx>, Lars Kurth <lars.kurth@xxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Wed, 27 May 2015 12:39:19 +0100
Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Wed, 27 May 2015 11:39:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

(Just adding Lars so he is aware and can run the formal vote once we
have consensus on a proposal for new text)

On Tue, 2015-05-26 at 15:38 +0000, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> > 
> >> > I'm good with that as well.  I think we're saying:
> >> > 
> >> >   if embargo_length < 14d:
> >> >     # XSA-133 situation
> >> >     send_pre_disclosure_draft()
> >> >     wait_for_patches()
> >> >   elif embargo_length >= 14d and not patches_ready:
> >> >     wait_for_patches()
> >> >   else:
> >> >     send_pre_disclosure_full()
> >> > 
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
> 
> Thanks for the help, folks.  I've tossed a proposed security policy change 
> into a Github gist[1].
> 
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" 
> section of the Xen Security Policy[2]:
> 
>     In the event that a two week embargo cannot be guaranteed,
>     we will send a draft with information about the vulnerability
>     to the pre-disclosure list as soon as possible, even if 
>     patches have not yet been written or tested.  An updated 
>     draft will be sent to the pre-disclosure list once patches
>     become available.
> 
> I welcome any and all feedback.  Thanks!
> 
> [1] https://gist.github.com/major/1a4f7ba7787b754845e9
> [2] http://www.xenproject.org/security-policy.html
> 
> --
> Major Hayden
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Jan Beulich
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Jan Beulich
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Stefano Stabellini
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden

Prev by Date: Re: [Xen-devel] Xen on ARM vITS Handling Draft B (Was Re: Xen/arm: Virtual ITS command queue handling)
Next by Date: Re: [Xen-devel] [PATCH v2 for Xen 4.6 1/4] xen: enabling XL to set per-VCPU parameters of a domain for RTDS scheduler
Previous by thread: Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
Next by thread: [Xen-devel] [ovmf bisection] complete build-amd64-xsm
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.