[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Possible improvement to Xen Security Response Process

To: "James Bulpin" <James.Bulpin@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Wed, 04 Jan 2017 06:01:23 -0700
Cc: "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Matthew Allen <matthew.allen@xxxxxxxxxx>, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Wed, 04 Jan 2017 13:01:38 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 04.01.17 at 12:58, <James.Bulpin@xxxxxxxxxx> wrote:
> On Tue, 2016-12-13 at 08:42, Jan Beulich wrote:
>>>>> On 12.12.16 at 18:11, <matthew.allen@xxxxxxxxxx> wrote:
>>> I'll join in the bunfight with a stronger proposal (noting in passing 
>>> that according to https://xenbits.xen.org/xsa/ we are now expecting 5 
>>> consecutive weeks of XSA announcements):
>>> 1) Where practical, XSA public disclosures will be batched and 
>>> announced once per month.
>>> 2) The calendar of disclosure dates will be published well in advance 
>>> and will avoid Fridays, weekends, or dates on or immediately before 
>>> widely respected public holidays.
>>> 3) Issues will normally have at least 14 days pre-disclosure; this 
>>> means that an issue discovered immediately prior to a scheduled 
>>> publication date will normally not be disclosed until the next publication 
>>> date.
>>
>>Hmm - this means 6 weeks of latency in the worst case. I don't think that's 
> reasonable.
> 
> What if instead we adopted a model similar to Microsoft's "patch Tuesday"[1]
> where there is always one scheduled release/disclosure date per month and a
> second scheduled date two weeks later that is used if needed. As discussed
> earlier in this thread we could issue guidance/recommendations to the
> discovers on choice of disclosure date - this could be along the lines of
> "the second Tuesday in a month that is at least 14 days after the initial
> pre-disclosure; in cases where this creates a significant delay, such as
> more than 4 weeks, and the issue is considered to be of significant urgency
> due to its severity, then the fourth Tuesday in the month should be
> considered so long as this allows for a 14 day pre-disclosure period" (or
> something like that).

Well, that'll leave us with another fuzzy thing - what does "significant
urgency due to its severity" really mean? The more that depending on
use case, people may have significantly differing opinions on this.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Possible improvement to Xen Security Response Process
  - From: James Bulpin

References:
- Re: [Xen-devel] Possible improvement to Xen Security Response Process
  - From: James Bulpin

Prev by Date: Re: [Xen-devel] [PATCH v5] x86/apicv: fix RTC periodic timer and apicv issue
Next by Date: Re: [Xen-devel] Possible improvement to Xen Security Response Process
Previous by thread: Re: [Xen-devel] Possible improvement to Xen Security Response Process
Next by thread: Re: [Xen-devel] Possible improvement to Xen Security Response Process
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.