[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list
On Mon, 2012-11-19 at 21:29 +0000, Joseph Glanville wrote: > a) How they consume Xen, be it via a vendor, distro packages of some > kind or whether they build and package their own. Those doing their > own packaging I feel should be given somewhat of a priority because > they aren't able to rely on their vendor and instead must dedicate > resources to responding. I think we've previously discussed whether direct vs. indirect consumers should be on the list, but I don't recall what the consensus/conclusion (if any) was. Indirect consumers are not included today. Since we allow people in the list to tell their consumers about the existence of an issue (i.e. be ready on this day to deploy) I not sure why indirect consumers would need to be or expect to be on the list (for example we don't consider allowing arbitrary distro users). > b) Their upgrade and security response procedures. It doesn't make > sense for someone to be on the pre-disclosure list if they lack the > ability (or more importantly the requirement) to aggressively test and > push out security fixes. At the very least they may be able to take advantage of the mitigations which are often presented or just keep an eye out for suspicious goings on in their systems. I'm also not sure why it matters how aggressively they can test and push. Two weeks is two weeks no matter how long it takes them to actually get stuff out the door, so it is advantageous in terms of ensuring that security fixes propagate as quickly as possible to have such people on the list. If they are incompetent or slow or their service is poor then that is something for the market to decide on, not us via the security pre-disclosure list. > c) Resources available to assist in testing security patches. This > might be a non-issue but I personally think it's somewhat important > that groups on the pre-disclosure list are able to assist in testing > or reviewing patches, this improves the quality of said patches and > might allow a greater degree of vulnerability exploration. This is > however, largely my own opinion on what is considered fair > contribution in return for the privilege. It is nice if people on the list can do this (more eyes are always welcome) but it absolutely is not and should not be a requirement that they be able to do so in order to receive notification of security vulnerabilities. The purpose of the list is to inform users of Xen security issues. It is not intended only to benefit those who happen to be security savvy, or developers or even particularly competent which is what your b) and c) seem to be trying to achieve. The consensus which I believe we saw from the community was that the list should be more not less inclusive, while you appear to be advocating that it should be more exclusive. I also think we need to be careful about considering membership of this list to be a privilege for which one must "pay" (whether in "services" or quid-pro-quo or whatever). It is a service which we should be providing our users because it is the right thing to do for the Xen.org community. > I think there should also be appropriate "guideline" points/criteria > that should be covered by other categories of organisations seeking to > join the pre-disclosure group. That sounds like a good idea. > Sorry if ideas along the lines of these have already been raised. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |