Xen project Mailing List

Re: [Xen-devel] Possible improvement to Xen Security Response Process

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

From: Matthew Allen <matthew.allen@xxxxxxxxxx>

Date: Tue, 6 Dec 2016 14:54:35 +0000

Cc: committers@xxxxxxxxxxxxxx, Jan Beulich <JBeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Tue, 06 Dec 2016 14:54:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 2016-12-05 at 11:24 -0800, Stefano Stabellini wrote: > On Mon, 5 Dec 2016, Jan Beulich wrote: > > >>> On 05.12.16 at 15:17, <matthew.allen@xxxxxxxxxx> wrote: ... > > > Obviously, some issues are discussed in public before the security > > > impact is realised (such as XSA-201); equally, the right to set > > > a disclosure date (if any) rests with the discoverer. However, > > > my experience of other software (which may not be typical) has been > > > that discoverers are usually happy to go along with any reasonable > > > proposed date given in the same way that discoverers of XSAs are > > > usually happy to conform to our present policy. > > > > > > If this seems a good idea, then I’ll post a concrete proposal but > > > I’d like to get general feedback first. > > > > I think very much here depends on the concrete aspects of the > > proposal (timing, room for exceptions, etc). From just a general > > pov, I can see advantages and disadvantages to both, just like > > you've indicated yourself already. Also it shouldn't be left out of > > consideration that for less severe vulnerabilities consuming > > parties could decide for themselves whether to delay patching > > (and hence leverage batching); I'm not convinced it would be a > > good idea to require the XenProject Security Team to take this > > decision in all cases. > > Given that the disclosure date is always chosen by the discoverer, the > only thing the security team can do is to suggest. It could make sense > to have a policy to pick the date the team should propose to the > discoverer, but at the end of the day, it is always, entirely, up to > her. I agree; I'm suggesting changes to the dates that the security team would propose to a discoverer. It's clearly entirely up to the discoverer whether they accept the proposal or decide on a different date (and they are, of course, under no obligation to contact the security team in advance at all). It does seem that discoverers are usually kind enough to contact the security team and consent to the dates suggested by the present policy; we should respect that kindness by making best use of the flexibility offered as well as ensuring timely release. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.