Xen project Mailing List

Re: [Xen-devel] Possible improvement to Xen Security Response Process

From: James Bulpin <James.Bulpin@xxxxxxxxxx>

Date: Wed, 4 Jan 2017 13:12:04 +0000

Accept-language: en-GB, en-US

Cc: "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Matthew Allen <matthew.allen@xxxxxxxxxx>, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 04 Jan 2017 13:12:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AQHSVJrzYmTL6jCY5kGJrhI7RMXktKEFf3WAgCLXVlCAAASIgIAAEcRQ

Thread-topic: [Xen-devel] Possible improvement to Xen Security Response Process

On Wed, 2017-01-04 at 13:02, Jan Beulich wrote: >>>> On 04.01.17 at 12:58, <James.Bulpin@xxxxxxxxxx> wrote: >> On Tue, 2016-12-13 at 08:42, Jan Beulich wrote: >>>>>> On 12.12.16 at 18:11, <matthew.allen@xxxxxxxxxx> wrote: >>>> I'll join in the bunfight with a stronger proposal (noting in >>>> passing that according to https://xenbits.xen.org/xsa/ we are now >>>> expecting 5 consecutive weeks of XSA announcements): >>>> 1) Where practical, XSA public disclosures will be batched and >>>> announced once per month. >>>> 2) The calendar of disclosure dates will be published well in >>>> advance and will avoid Fridays, weekends, or dates on or immediately >>>> before widely respected public holidays. >>>> 3) Issues will normally have at least 14 days pre-disclosure; this >>>> means that an issue discovered immediately prior to a scheduled >>>> publication date will normally not be disclosed until the next publication >>>> date. >>> >>>Hmm - this means 6 weeks of latency in the worst case. I don't think >>>that's >> reasonable. >> >> What if instead we adopted a model similar to Microsoft's "patch >> Tuesday"[1] where there is always one scheduled release/disclosure >> date per month and a second scheduled date two weeks later that is >> used if needed. As discussed earlier in this thread we could issue >> guidance/recommendations to the discovers on choice of disclosure date >> - this could be along the lines of "the second Tuesday in a month that >> is at least 14 days after the initial pre-disclosure; in cases where >> this creates a significant delay, such as more than 4 weeks, and the >> issue is considered to be of significant urgency due to its severity, >> then the fourth Tuesday in the month should be considered so long as >> this allows for a 14 day pre-disclosure period" (or something like that). > > Well, that'll leave us with another fuzzy thing - what does "significant > urgency due to its severity" really mean? The more that depending on use > case, people may have significantly differing opinions on this. TBH I think a certain amount of fuzziness is unavoidable - I don't think it's practical or desirable to try to foresee every possible case and define a rule for it. I'd rather have a (mostly) predictable schedule for our users even if that means some fuzziness and the inevitable inconsistency it'll bring, rather than the current model which appears chaotic to users. Cheers, James _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.