Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

[George Dunlap <george.dunlap@xxxxxxxxxxxxx>]

On 24/04/13 12:02, George Dunlap wrote:
> On 19/04/13 20:41, Ian Campbell wrote:
> > On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:
> > > On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:
> > > > On 15/04/13 15:55, Ian Campbell wrote:
> > > > > Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
> > > > > burden
> > > > I'm just curious, is it really that much of a burden?  If Debian, for
> > > > example, already has infrastructure to accept
> > > > "<package>@packages.debian.org", how much extra work is it to add
> > > > "<package>-security@xxxxxxxxxx"?
> > > For just one $package its probably still a moderate amount of work. I
> > Ian J pointed out to me IRL that this is the sort of thing alioth (the
> > Debian Source/FusionForge instance) ought to be able to provide and I
> > can see an interface which purports to allow me to create a private list
> > on there (but I've not tried it).
> >
> > Not sure about other distros but this seems to solve it for Debian at
> > least.
> How about the following:
>
> The addition of individual e-mail addresses for
>         an organization in addition to the organizational e-mail address
>         will be considered in exceptional circumstances; for example, if
>         the maintainer for the xen package is not on the organization's
>         security e-mail list, and either maintaining a separate list or
>         having those on the list act as an intermediary would be too
>         onerous.
Ping?

I'd like to get the vote started on this in the next week or two.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel