Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Mon, 2012-07-02 at 15:51 +0100, Jan Beulich wrote:
> >>> On 02.07.12 at 15:58, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
> > Pre-disclosure might be appropriate for projects whose downstreams are
> > generally software providers (e.g. Linux distros) but the high
> > proportion of Xen's immediate downstreams who are service providers
> > makes the balance somewhat different. In the case where you have a high
> > proportion of downstreams who are service providers the inherent
> > unfairness of pre-disclosure lists amplified since membership of the
> > pre-disclosure list allows those service providers to begin deploying
> > the fix without breaching the embargo, which is even more of an
> > advantage than just knowing about the issue and being able to prepare an
> > update for your users.
> 
> But if a service provider takes on the extra effort to be an
> immediate downstream, wouldn't it be fair to give it the
> advantage over those who consume distros?

I'm not sure why it would be. I can't see any link between the effort
taken to install Xen and level of security support one should expect.

Consuming Xen via a distro is a completely rational and reasonable thing
to do.

>  (Of course, I'd
> personally still want to give less of an advantage to those who
> don't contribute back, but I realize that this is impossible to
> implement in a reasonable way.)

While I can appreciate the sentiment I think that even if we could
achieve this we should not. The provision of security updates should not
be used as either a carrot or a stick.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel