|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] security-process.pandoc: Statement on issuing XSAs for older versions of Xen
On Fri, Oct 27, 2023 at 3:26 PM George Dunlap <george.dunlap@xxxxxxxxx> wrote: > > We recently had a situation where a security issue was discovered > which only affected versions of Xen out of security support from an > upstream perspective. However, many downstreams (including XenServer > and SUSE) still had supported products based on the versions affected. > > Specify what the security team will do in this situation in the > future. As always, the goal here is to be fair and helpful, without > adding to the workload of the security team. Inviting downstreams to > list versions and ranges, as well as expecting them to be involved in > the patch, gives organizations without representation in the security > team the opportunity to decide to engage in the security process. At > the same time, it puts he onus of determining which products and which > versions might be affected, as well as the core work of creating and > testing a patch, on downstreams. > > Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxx> > --- > The entire security-process.pandoc file can be found here: > > https://gitlab.com/xen-project/people/gdunlap/old-governance ...and you can see this as a pull request here: https://gitlab.com/xen-project/people/gdunlap/old-governance/-/merge_requests/1 -George
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |