Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Mon, 2012-11-19 at 21:29 +0000, Joseph Glanville wrote:
> a) How they consume Xen, be it via a vendor, distro packages of some
> kind or whether they build and package their own. Those doing their
> own packaging I feel should be given somewhat of a priority because
> they aren't able to rely on their vendor and instead must dedicate
> resources to responding.

I think we've previously discussed whether direct vs. indirect consumers
should be on the list, but I don't recall what the consensus/conclusion
(if any) was. Indirect consumers are not included today.

Since we allow people in the list to tell their consumers about the
existence of an issue (i.e. be ready on this day to deploy) I not sure
why indirect consumers would need to be or expect to be on the list (for
example we don't consider allowing arbitrary distro users).

> b) Their upgrade and security response procedures. It doesn't make
> sense for someone to be on the pre-disclosure list if they lack the
> ability (or more importantly the requirement) to aggressively test and
> push out security fixes.

At the very least they may be able to take advantage of the mitigations
which are often presented or just keep an eye out for suspicious goings
on in their systems.

I'm also not sure why it matters how aggressively they can test and
push. Two weeks is two weeks no matter how long it takes them to
actually get stuff out the door, so it is advantageous in terms of
ensuring that security fixes propagate as quickly as possible to have
such people on the list.

If they are incompetent or slow or their service is poor then that is
something for the market to decide on, not us via the security
pre-disclosure list.

> c) Resources available to assist in testing security patches. This
> might be a non-issue but I personally think it's somewhat important
> that groups on the pre-disclosure list are able to assist in testing
> or reviewing patches, this improves the quality of said patches and
> might allow a greater degree of vulnerability exploration. This is
> however, largely my own opinion on what is considered fair
> contribution in return for the privilege.

It is nice if people on the list can do this (more eyes are always
welcome) but it absolutely is not and should not be a requirement that
they be able to do so in order to receive notification of security
vulnerabilities.

The purpose of the list is to inform users of Xen security issues. It is
not intended only to benefit those who happen to be security savvy, or
developers or even particularly competent which is what your b) and c)
seem to be trying to achieve.

The consensus which I believe we saw from the community was that the
list should be more not less inclusive, while you appear to be
advocating that it should be more exclusive.

I also think we need to be careful about considering membership of this
list to be a privilege for which one must "pay" (whether in "services"
or quid-pro-quo or whatever). It is a service which we should be
providing our users because it is the right thing to do for the Xen.org
community.

> I think there should also be appropriate "guideline" points/criteria
> that should be covered by other categories of organisations seeking to
> join the pre-disclosure group.

That sounds like a good idea.

> Sorry if ideas along the lines of these have already been raised.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel