[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
On Wed, 4 Jul 2012, George Dunlap wrote: > On Wed, Jul 4, 2012 at 1:52 PM, Jan Beulich <JBeulich@xxxxxxxx> wrote: > > Being on the list doesn't make you non-susceptible. Such an > > approach, imo, would need to imply permission to anyone on > > the list to deploy a fix as soon as it is available. But since > > distros can't ship binaries without also making sources available, > > that's a contradiction by itself. > > Yes, preventing vendors from shipping until the public disclosure date > would discriminates against "vendor-supplied" users in favor of > "self-supplied" users (i.e., those who download and build their own > directly from xen.org). > > Would it work to say that vendors can ship to anyone on the list? In > theory that could work, but in practice I think most distros would > rather just release once and be done with it, rather than dealing with > a 2-stage process. I don't think that software vendors will be very happy to release twice. Also how would Debian make an update available only to the list members? It would need to setup a strange apt-get repository system that ships different packages (and sources) depending on who's asking? Can we just avoid all this and use the security list to communicate that a fix is going to be available on a particular hour of a particular day? This way all the software vendors and service providers can ready themselves to deploy it as soon as they can. The fix would be released to the security list and xen-devel at the same time. In practice, given the terms of the GPL, we cannot restrict anybody on the list from releasing the source of the fix before the embargo ends. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |