[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Coverity + XenProject + Process?



On Sat, Aug 31, 2013 at 10:36:40AM +0100, Ian Campbell wrote:
> On Fri, 2013-08-30 at 11:00 -0400, Konrad Rzeszutek Wilk wrote:
[...]
> > But I am not sure who should have the power to veto/accept
> > volunteers? Should security@xxxxxxx do that? Or should folks
> > at Xen Devel mailing list be involved in it as well?
> 
> I'd be happier if this was done publicly. Since there is no security
> sensitive information at this point there is no reason for it to be
> private AFAICT. Maybe the social awkwardness of having people be
> publicly turned down is important though?

+1

The "discuss in public" approach seems to work for the "distros"
mailing list. Membership requests are discussed in the public on the
"oss-security" mailing list. [1]

> Wherever they are made I think we need requests to include a short bio
> of the person, covering who they are, what their security background is
> and why they are interested specifically in the xen project, etc. To aid
> us in making a decision as to whether we should trust them.
> 
> The request should be signed with a PGP key that is part of the WoT
> strong set (i.e. reachable from mine and your keys ).
> 
> We could just go with a rule that people need to already be known to the
> Xen community (e.g. have submitted a/some patch(es)), but I think there
> are plenty of security researchers out there who wouldn't otherwise work
> on Xen but might be valuable in this context.

This all sounds reasonable to me.

--msw

[1] http://oss-security.openwall.org/wiki/mailing-lists/distros

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.