[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

On Tue, 2012-11-27 at 12:05 +0000, George Dunlap wrote:
> On Mon, Nov 19, 2012 at 5:42 PM, Ian Campbell
> <Ian.Campbell@xxxxxxxxxx> wrote:

>         I wonder if we shouldn't also include under the list of 
> "pre-disclosure
>         list members should not make available," include "Failure to adhere to
>         this will be grounds for removal from the list".
>         I suppose then we need an appeals process though. How about
>         "Reinstatement will require a post to the xen-devel mailing list
>         explaining the procedures which have been put in place to prevent any
>         further breach of confidentiality" + a three strikes rule (any org who
>         managed so mess this up three times isn't likely to stay in business
>         long enough to require an appeals process against that ;-)).
> I think this is a slightly separate topic -- I think it would be
> easier if we handle criteria for inclusion separately from procedure
> for removal / reinstatement.

>         Also, and I understand this is most likely taking things way too far, 
> I
>         was wondering about requiring the request to be signed by a key which
>         itself has a signature from a key in the "strong
>         set" (http://pgp.cs.uu.nl/plot/) of PGP keys (implemented by me being
>         able to find a path from my key to it). This is just another hurdle
>         which serves to ensure that list members are in some sense legitimate.
>         (NB I'm not sure I buy this argument, surely there are corrupt types 
> in
>         the strong set). This hurdle might be too big in practice? It doesn't
>         seem so to me but then I hang around with a lot of Debian types ;-)
> Well that might work for open-source providers, but would it work for
> say, Rackspace, Linode, Amazon?  Huawei?  Or another company like
> Citrix, whose product team isn't heavily involved in open-source
> community things?

The PGP Web of Trust isn't an OSS thing by any means.

We (security@) have easily had as many encrypted emails from the
commercial parts of various organisations as we have had from "OSS"

> It might be sensible to say that such a signature would be considered
> in the application process -- that would allow small groups that are
> very active in the OSS community to balance out large companies that
> can spend a lot on marketing &c to make themselves known.

Yes, it could certainly be one of several criteria.

>  -George

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.