[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

George Dunlap writes ("[Xen-devel] [PATCH RFC] Make all public hosting 
providers eligible for the pre-disclosure list"):
> NOTE: This RFC is meant to be a way to start a discussion on the exact
> wording which will be voted on.  Once it has gone through review from
> the xen-devel mailing list, I will post an "RC" and announce it on the
> Xen blog, as well as on xen-users.  Once discussion seems to have
> converged, I will post a "FINAL" one, which I will put up for a vote.

Thanks for this.  Something along these lines is probably the best
compromise between the available options.

> -      <li>Large-scale hosting providers;</li>
> +      <li>Public hosting providers;</li>
>        <li>Large-scale organisational users of Xen;</li>
>        <li>Vendors of widely-deployed Xen-based systems;</li>
>        <li>Distributors of widely-deployed operating systems with
>        Xen support...
> +    <p>Here as a rule of thumb, "public hosting provider" means
 +    "selling virtualization services to the general public";
> +    "large-scale" and "widely deployed" means an installed base of
> +    300,000 or more Xen guests.  Other well-established organisations
> +    with a mature security response process will be considered on a
> +    case-by-case basis.</p>

If we are allowing any cloud provider, not matter how small, to sign
up, then we should probably substantially relax the rules on software
vendors too.  I'm not sure exactly what the rule should be but
certainly we should be requiring no more than 1,000 deployed

> +    <p>We prefer that a role address be used for each organisation, rather 
> than one or more individual's direct email address. This helps to ensure that 
> changes of personnel do not end up effectively dropping an organisation from 
> the list</p>

We should insist on this I think.  Otherwise it will be unmanageable.

I have another comment: given that predisclosure list members are
allowed to reveal the fact that there is an advisory and the release
date, would it be sensible for there to be a public list of
forthcoming public advisories ?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.