[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list
George Dunlap writes ("[Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list"): > NOTE: This RFC is meant to be a way to start a discussion on the exact > wording which will be voted on. Once it has gone through review from > the xen-devel mailing list, I will post an "RC" and announce it on the > Xen blog, as well as on xen-users. Once discussion seems to have > converged, I will post a "FINAL" one, which I will put up for a vote. Thanks for this. Something along these lines is probably the best compromise between the available options. ... > - <li>Large-scale hosting providers;</li> > + <li>Public hosting providers;</li> > <li>Large-scale organisational users of Xen;</li> > <li>Vendors of widely-deployed Xen-based systems;</li> > <li>Distributors of widely-deployed operating systems with > Xen support... > + <p>Here as a rule of thumb, "public hosting provider" means + "selling virtualization services to the general public"; > + "large-scale" and "widely deployed" means an installed base of > + 300,000 or more Xen guests. Other well-established organisations > + with a mature security response process will be considered on a > + case-by-case basis.</p> If we are allowing any cloud provider, not matter how small, to sign up, then we should probably substantially relax the rules on software vendors too. I'm not sure exactly what the rule should be but certainly we should be requiring no more than 1,000 deployed instances. > + <p>We prefer that a role address be used for each organisation, rather > than one or more individual's direct email address. This helps to ensure that > changes of personnel do not end up effectively dropping an organisation from > the list</p> We should insist on this I think. Otherwise it will be unmanageable. I have another comment: given that predisclosure list members are allowed to reveal the fact that there is an advisory and the release date, would it be sensible for there to be a public list of forthcoming public advisories ? Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |