Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

[Thomas Goirand <thomas@xxxxxxxxxx>]

Hi Ian,

Thanks for discussing this in a public way!

On 06/20/2012 02:16 AM, Ian Jackson wrote:
> We had one request from a public Xen cloud provider to be provided
> with predisclosure information.  However it appeared to us that they
> didn't meet the size threshold in the process document.
>
> The size threshold is of course open to discussion.
>   
I find the concept of "Xen Cloud provider size threshold"
quite anti competitive. Why would a bigger provider, would
be offered a substantial advantage over the smaller one?

On 06/20/2012 02:16 AM, Ian Jackson wrote:
> One particular issue here which also relates to the predisclosure
> membership criteria, is whether large indirect consumers of Xen should
> be on the predisclosure list in their own right.  That would allow
> them to deploy the fix before the embargo date.  It would also allow
> them to prepare for testing and deployment, before the fix is
> available from their vendor (who would in this scenario also be
> entitled to be a predisclosure list member).
>   

And other hosting providers not in the list? They can be hacked and die,
while the big ones are safe?

Why wouldn't a smaller company know? Can *I* be in the predisclosure list?
If you reject me from such list, why? What's the procedure to be on such
list?

On 06/20/2012 05:45 PM, George Dunlap wrote:
> The only way this would work is if the predisclosure list consisted
> exclusively of software providers, and specifically excluded service
> providers.
I agree, though you might have corner cases.

What if you are *both* software and service provider (eg: I'm working on
Debian and XCP, and my small company provides a hosted Xen service)?

Cheers,

Thomas


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel