[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Possible improvement to Xen Security Response Process

To: James Bulpin <James.Bulpin@xxxxxxxxxx>
From: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Jan 2017 19:21:32 +0000
Cc: "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Matthew Allen <matthew.allen@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Fri, 20 Jan 2017 19:22:51 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

James Bulpin writes ("Re: [Xen-devel] Possible improvement to Xen Security 
Response Process"):
> On Tue, 2016-12-13 at 08:42, Jan Beulich wrote:
>> On 12.12.16 at 18:11, <matthew.allen@xxxxxxxxxx> wrote:
> >
> > Hmm - this means 6 weeks of latency in the worst case. I don't
> > think that's reasonable.
> 
> What if instead we adopted a model similar to Microsoft's "patch
> Tuesday"[1] where there is always one scheduled release/disclosure
> date per month and a second scheduled date two weeks later that is
> used if needed.

If our target emabrgo period is ~14 days, then we should probably have
potential disclosure dates at 2 week intervals.  We could just say
"the Tuesday of an even-numbered week (ISO-8601)".

The rule about trying to avoid widely-observed public holidays would
mean we wouldn't release an advisory on the last Tuesday of the year,
either, so there would not be two consecutive Tuesdays.

> , and the issue is considered to be of significant urgency due
> to its severity, then the fourth Tuesday in the month should be
> considered so long as this allows for a 14 day pre-disclosure
> period" (or something like that).

I agree with Jan that this fuzziness is undesirable.  Also, more
severe vulnerabilities are both more urgent to fix, and also have
worse impact if released before people are ready, so severity is the
wrong measure.  If there is any kind of measure that is relevant it is
difficulty.

I'm writing here mostly with my personal hat, but my security team hat
really dislikes ambiguity like this.  It leads to unclear
decisionmaking and side discussions.

I would like the policy to specify a clear cutoff.  Jan, are you
comfortable with a "default" of between 2 and 4 weeks' embargo,
depending on the timing of the discovery etc. ?  Personally I think a
4 week maximum seems rather long, but with a 2 week cadence that can't
be reduced without also shortening the 2 week minimum.  The range 2-4
weeks seems like a plausible compromise.

If that is acceptable then waiting for the next alternate Tuesday,
such that the embargo period is >=14 days, would work, and we could
write that up as formal wording.

Thanks,
Ian.

-- 
Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Possible improvement to Xen Security Response Process
  - From: Jan Beulich

References:
- Re: [Xen-devel] Possible improvement to Xen Security Response Process
  - From: James Bulpin

Prev by Date: [Xen-devel] [distros-debian-jessie test] 68402: trouble: blocked/broken
Next by Date: Re: [Xen-devel] [PATCH v5 3/9] xen/x86: split Dom0 build into PV and PVHv2
Previous by thread: Re: [Xen-devel] Possible improvement to Xen Security Response Process
Next by thread: Re: [Xen-devel] Possible improvement to Xen Security Response Process
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.