[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Possible improvement to Xen Security Response Process
On Tue, 2016-12-13 at 08:42, Jan Beulich wrote: >>>> On 12.12.16 at 18:11, <matthew.allen@xxxxxxxxxx> wrote: >> I'll join in the bunfight with a stronger proposal (noting in passing >> that according to https://xenbits.xen.org/xsa/ we are now expecting 5 >> consecutive weeks of XSA announcements): >> 1) Where practical, XSA public disclosures will be batched and >> announced once per month. >> 2) The calendar of disclosure dates will be published well in advance >> and will avoid Fridays, weekends, or dates on or immediately before >> widely respected public holidays. >> 3) Issues will normally have at least 14 days pre-disclosure; this >> means that an issue discovered immediately prior to a scheduled >> publication date will normally not be disclosed until the next publication >> date. > >Hmm - this means 6 weeks of latency in the worst case. I don't think that's >reasonable. What if instead we adopted a model similar to Microsoft's "patch Tuesday"[1] where there is always one scheduled release/disclosure date per month and a second scheduled date two weeks later that is used if needed. As discussed earlier in this thread we could issue guidance/recommendations to the discovers on choice of disclosure date - this could be along the lines of "the second Tuesday in a month that is at least 14 days after the initial pre-disclosure; in cases where this creates a significant delay, such as more than 4 weeks, and the issue is considered to be of significant urgency due to its severity, then the fourth Tuesday in the month should be considered so long as this allows for a 14 day pre-disclosure period" (or something like that). Thoughts? Cheers, James [1] https://en.wikipedia.org/wiki/Patch_Tuesday _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |