[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list
On Tue, 2012-11-27 at 12:05 +0000, George Dunlap wrote: > On Mon, Nov 19, 2012 at 5:42 PM, Ian Campbell > <Ian.Campbell@xxxxxxxxxx> wrote: > > I wonder if we shouldn't also include under the list of > "pre-disclosure > list members should not make available," include "Failure to adhere to > this will be grounds for removal from the list". > > I suppose then we need an appeals process though. How about > "Reinstatement will require a post to the xen-devel mailing list > explaining the procedures which have been put in place to prevent any > further breach of confidentiality" + a three strikes rule (any org who > managed so mess this up three times isn't likely to stay in business > long enough to require an appeals process against that ;-)). > > I think this is a slightly separate topic -- I think it would be > easier if we handle criteria for inclusion separately from procedure > for removal / reinstatement. OK. > Also, and I understand this is most likely taking things way too far, > I > was wondering about requiring the request to be signed by a key which > itself has a signature from a key in the "strong > set" (http://pgp.cs.uu.nl/plot/) of PGP keys (implemented by me being > able to find a path from my key to it). This is just another hurdle > which serves to ensure that list members are in some sense legitimate. > (NB I'm not sure I buy this argument, surely there are corrupt types > in > the strong set). This hurdle might be too big in practice? It doesn't > seem so to me but then I hang around with a lot of Debian types ;-) > > Well that might work for open-source providers, but would it work for > say, Rackspace, Linode, Amazon? Huawei? Or another company like > Citrix, whose product team isn't heavily involved in open-source > community things? The PGP Web of Trust isn't an OSS thing by any means. We (security@) have easily had as many encrypted emails from the commercial parts of various organisations as we have had from "OSS" people. > It might be sensible to say that such a signature would be considered > in the application process -- that would allow small groups that are > very active in the OSS community to balance out large companies that > can spend a lot on marketing &c to make themselves known. Yes, it could certainly be one of several criteria. > > -George > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |