Re: [Xen-devel] Possible improvement to Xen Security Response Process

[James Bulpin <James.Bulpin@xxxxxxxxxx>]

On Tue, 2016-12-13 at 08:42, Jan Beulich wrote:
>>>> On 12.12.16 at 18:11, <matthew.allen@xxxxxxxxxx> wrote:
>> I'll join in the bunfight with a stronger proposal (noting in passing 
>> that according to https://xenbits.xen.org/xsa/ we are now expecting 5 
>> consecutive weeks of XSA announcements):
>> 1) Where practical, XSA public disclosures will be batched and 
>> announced once per month.
>> 2) The calendar of disclosure dates will be published well in advance 
>> and will avoid Fridays, weekends, or dates on or immediately before 
>> widely respected public holidays.
>> 3) Issues will normally have at least 14 days pre-disclosure; this 
>> means that an issue discovered immediately prior to a scheduled 
>> publication date will normally not be disclosed until the next publication 
>> date.
>
>Hmm - this means 6 weeks of latency in the worst case. I don't think that's 
>reasonable.

What if instead we adopted a model similar to Microsoft's "patch Tuesday"[1]
where there is always one scheduled release/disclosure date per month and a
second scheduled date two weeks later that is used if needed. As discussed
earlier in this thread we could issue guidance/recommendations to the
discovers on choice of disclosure date - this could be along the lines of
"the second Tuesday in a month that is at least 14 days after the initial
pre-disclosure; in cases where this creates a significant delay, such as
more than 4 weeks, and the issue is considered to be of significant urgency
due to its severity, then the fourth Tuesday in the month should be
considered so long as this allows for a 14 day pre-disclosure period" (or
something like that).

Thoughts?

Cheers,
James

[1] https://en.wikipedia.org/wiki/Patch_Tuesday
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel