Xen project Mailing List

Re: [Xen-devel] Possible improvement to Xen Security Response Process

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Mon, 5 Dec 2016 11:24:49 -0800 (PST)

Cc: committers@xxxxxxxxxxxxxx, Matthew Allen <matthew.allen@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Mon, 05 Dec 2016 19:24:57 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 5 Dec 2016, Jan Beulich wrote: > >>> On 05.12.16 at 15:17, <matthew.allen@xxxxxxxxxx> wrote: > > From a security purist point of view, any delay in publication could > > increase the possibility of vulnerabilities being exploited in the > > wild. However, given the significant frequency of publication of XSAs, > > I’d suggest that users failing to keep up with the publication rate > > is presently a much greater security risk. > > > > If XSAs were to be batched, we should also consider if batch updates > > should be encouraged to be on pre-defined dates. The present > > unpredictability makes it unnecessarily more difficult for users of > > Xen to plan their lives. For example, our present process causes > > organisations with few administrators to choose between cancelling > > holidays or not patching. > > > > Obviously, some issues are discussed in public before the security > > impact is realised (such as XSA-201); equally, the right to set > > a disclosure date (if any) rests with the discoverer. However, > > my experience of other software (which may not be typical) has been > > that discoverers are usually happy to go along with any reasonable > > proposed date given in the same way that discoverers of XSAs are > > usually happy to conform to our present policy. > > > > If this seems a good idea, then I’ll post a concrete proposal but > > I’d like to get general feedback first. > > I think very much here depends on the concrete aspects of the > proposal (timing, room for exceptions, etc). From just a general > pov, I can see advantages and disadvantages to both, just like > you've indicated yourself already. Also it shouldn't be left out of > consideration that for less severe vulnerabilities consuming > parties could decide for themselves whether to delay patching > (and hence leverage batching); I'm not convinced it would be a > good idea to require the XenProject Security Team to take this > decision in all cases. Given that the disclosure date is always chosen by the discoverer, the only thing the security team can do is to suggest. It could make sense to have a policy to pick the date the team should propose to the discoverer, but at the end of the day, it is always, entirely, up to her.

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.