|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
>>> On 04.07.12 at 14:56, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote: > On Wed, Jul 4, 2012 at 1:52 PM, Jan Beulich <JBeulich@xxxxxxxx> wrote: >> Being on the list doesn't make you non-susceptible. Such an >> approach, imo, would need to imply permission to anyone on >> the list to deploy a fix as soon as it is available. But since >> distros can't ship binaries without also making sources available, >> that's a contradiction by itself. > > Yes, preventing vendors from shipping until the public disclosure date > would discriminates against "vendor-supplied" users in favor of > "self-supplied" users (i.e., those who download and build their own > directly from xen.org). > > Would it work to say that vendors can ship to anyone on the list? In > theory that could work, but in practice I think most distros would > rather just release once and be done with it, rather than dealing with > a 2-stage process. So would I think. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |