[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security disclosure process discussion update



On Mon, Dec 17, 2012 at 12:58:13PM +0000, George Dunlap wrote:
> After concluding our poll [1] about changes to the security
> discussion, we determined that "Pre-disclosure to software vendors and
> a wide set of users" was probably the best fit for the community.  A
> set of concrete changes to the policy have now been discussed on
> xen-devel [2] [3], and we seem to have converged on something everyone
> finds acceptable.
> 
> We are now presenting these changes for public review.  The purpose of
> this review process is to allow feedback on the text which will be
> voted on, in accordance to the Xen.org governance procedure [3].  Our
> plan is to leave this up for review until the third week in January.
> Any substantial updates will be mentioned on the blog and will extend
> the review time.
> 
> All feedback and discussion should happen in public on the xen-devel
> mailing list.  If you have any suggestions for how to improve the
> proposal, please e-mail the list, and cc George Dunlap (george dot
> dunlap at citrix.com).
> 
> = Summary of the updates =
> 
> As discussed on the xen-devel mailing list, expand eligibility of the
> pre-disclosure list to include any public hosting provider, as well
> as software project:
> * Change "Large hosting providers" to "Public hosting providers"
> * Remove "widely-deployed" from vendors and distributors
> * Add rules of thumb for what constitutes "genuine"
> * Add an itemized list of information to be included in the application,
> to make expectations clear and (hopefully) applications more streamlined.
> 
> The first will allow hosting providers of any size to join.
> 
> The second will allow software projects and vendors of any size to join.
> 
> The third and fourth will help describe exactly what criteria will be used
> to
> determine eligibility for 1 and 2.
> 
> Additionally, this proposal adds the following requirements:
> * Applicants and current members must use an e-mail alias, not an
> individual's
> e-mail

So if we use an mailing list internally..
> * Applicants and current members must submit a statement saying that they
> have
> read, understand, and will abide by this process document.

Are the folks on the internal mailing list bound by this as well? Meaning
that if a new person would like to join the internal mailing list they
need to have read, understood, etc the process document?

I would presume so, but you are not stating it here nor:

http://wiki.xen.org/wiki/Security_vulnerability_process_draft

So what is driving the 'alias' requirement?


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.