Xen project Mailing List

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

To: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Mon, 15 Apr 2013 15:55:16 +0100

Cc: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Mon, 15 Apr 2013 14:55:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 2012-12-17 at 12:58 +0000, George Dunlap wrote: > * Applicants and current members must use an e-mail alias, not an > individual's e-mail An interesting wrinkle with this has come up a couple of times recently (and at last once long ago which we'd all forgotten about): The security team aliases of most distros at least include a bunch of people charged with security support for the distro generally but not usually, except by coincidence, the actual Xen package maintainer. We've had a couple of distro package maintainers ask to be on the list in their own right in addition to the relevant security team. Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a burden but the existing package aliases are not necessarily private e.g. in Debian the xen package's maintainer field is set to a public mailing list, which is not uncommon in Debian and which causes stuff sent to xen@xxxxxxxxxxxxxxxxxxx (the canonical way to mail a package maintainer) to go to the list. In the past we (the security team) have accepted these requests (after checking with the relevant security team that this is ok) but the above change would suggest that we should not. One option which we have is to stick by the requirement to only list aliases and request that the relevant security team forward advisories discussion etc to the maintainer as they feel necessary. Distro security teams do this anyway in many cases but it seems a bit silly to stop them from delegating to the maintainer and "getting out of the way" in cases where they want to. We could perhaps weaken the requirement slightly and say that every organisation must list at least one e-mail alias but that individuals will be accepted, perhaps with a list of requirements, such as: * clearly associated with a particular organisation * cleared by that organisations alias to be on the list * there is an obvious reason why the individual cannot be on the alias (it's a generic distro alias being pretty obvious) (obviously putting the word obvious in the actual guidelines would be a recipe for interminably long threads about what is obvious, but obviously you get the gist) Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.