[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

On Mon, 2012-12-03 at 17:12 +0000, George Dunlap wrote:
> On Tue, Nov 27, 2012 at 12:05 PM, George Dunlap
> <George.Dunlap@xxxxxxxxxxxxx> wrote:
>         On Mon, Nov 19, 2012 at 5:42 PM, Ian Campbell
>         <Ian.Campbell@xxxxxxxxxx> wrote:
>         
>                 > +    <p>Here as a rule of thumb, "public hosting
>                 provider" means
>                 > +    "selling virtualization services to the general
>                 public";
>                 > +    "large-scale" and "widely deployed" means an
>                 installed base of
>                 > +    300,000 or more Xen guests.  Other
>                 well-established organisations
>                 > +    with a mature security response process will be
>                 considered on a
>                 > +    case-by-case basis.</p>
>                 
>                 
>                 I agree with Ian that relaxing this for software
>                 vendors also seems the
>                 correct thing to do.
>         
>         If we're going to include software vendors, we need some
>         simple criteria to define what a "real" software vendor is.
>         The idea of asking for a link from cloud providers pointing to
>         public rates and a security policy, which Ian Jackson
>         proffered, was a good one.  I suppose we could do something
>         similar for software providers: a link to a web page with
>         either download-able install images, or prices, perhaps?
>         
> 
> Thinking a bit more about this one -- if someone had (say) a Debian
> derivative that looked like it was basically just a different default
> set of packages -- IOW, a very small amount of effort to create and
> maintain -- that wouldn't qualify for being on the list, right?  So it
> seems to me like "amount of effort spent" is kind of what we're
> looking for, right?  I mean, if 2-3 developers are spending 3-4 hours
> per week each working on something, then it's clearly a project we
> could consider, even if it's really small.  I'm sure that would
> include QubesOS, ArchLinux, Edubuntu, Scientific Linux, &c &c.  But if
> it's one guy spending half an hour every six months, he doesn't really
> need to be on the list I don't think.

Is "deviation from upstream" a factor at all?

e.g. is a Debian derivative just ships the Xen bits direct from Debian
then there doesn't seem to be much call for them to be on the list, they
can simply just ship the security update too. This would be true even if
they were dozens of engineers working full time.

On the other hand if they are packaging Xen themselves, or modifying the
Debian package substantially that would potentially be somewhat
different, even if they were small (like your above example).

> This would be a "rule of thumb" or "guideline" rather than a rule.

Yes, I think most of these things will have to be.

I went looking for the linux-distros list inclusion criteria, in the
hopes we could just piggy back off that, but I can't find it right now.

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.