Xen project Mailing List

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxxxxx>

Date: Wed, 1 May 2013 16:38:53 +0100

Cc: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 01 May 2013 15:39:19 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 01/05/13 16:37, Ian Campbell wrote:

On Wed, 2013-05-01 at 16:31 +0100, George Dunlap wrote:

On 24/04/13 12:02, George Dunlap wrote:

On 19/04/13 20:41, Ian Campbell wrote:

On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:

On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:

On 15/04/13 15:55, Ian Campbell wrote:

Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
burden

I'm just curious, is it really that much of a burden?  If Debian, for
example, already has infrastructure to accept
"<package>@packages.debian.org", how much extra work is it to add
"<package>-security@xxxxxxxxxx"?

For just one $package its probably still a moderate amount of work. I

Ian J pointed out to me IRL that this is the sort of thing alioth (the
Debian Source/FusionForge instance) ought to be able to provide and I
can see an interface which purports to allow me to create a private list
on there (but I've not tried it).

Not sure about other distros but this seems to solve it for Debian at
least.

How about the following:

The addition of individual e-mail addresses for
         an organization in addition to the organizational e-mail address
         will be considered in exceptional circumstances; for example, if
         the maintainer for the xen package is not on the organization's
         security e-mail list, and either maintaining a separate list or
         having those on the list act as an intermediary would be too
         onerous.

Ping?

Sorry, thought I'd replied.

Given that Ian J has pointed me to Alioth private lists I'm no longer
concerned about this from Debian's PoV. I don't really know if this is
going to be an issue for other distros or not -- I suppose I'm inclined
to feel that if Debian can manage it so can they.

OK -- and in any case that's kind of a separate issue from the big one,

which is allowing more people to be on the list.

Thanks, -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.