[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [DRAFT] Coverity Access Policy



On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote:
> On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote:
> > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote:
> > > I've tried to codify some of the ideas put forward in the previous
> > > thread and round out the proposal with some practicalities.
> > > 
> > > I was undecided about requiring unanimity (i.e no objections from a
> > > maintainer) rather than just consensus. Any thoughts on that? A (well
> > > reasoned) objection should carry a fair bit of weight under these
> > > circumstances I think.
> > > 
> > > 8<--------------------------------
> > > 
> > > The Xen Project is registered with the "Coverity Scan" service[0]
> > > which applies Coverity's static analyser to the Open Source
> > > projects. The tool can and does find flaws in the source code which
> > > can include security issues.
> > > 
> > > Triaging and proposing solutions for the flaws found by Coverity is a
> > > useful way in which Community members can contribute to the Xen
> > > Project. However because the service may discover security issues and
> > > the Xen Project practices responsible disclosure as described in "Xen
> > > Security Problem Response Process"[1] the full database of issues
> > > cannot simply be made public.
> > > 
> > > Members of the community may request access to the Coverity database
> > > under the condition that for any security issues discovered, they:
> > > 
> > >  * agree to follow the security response process[1].
> > >  * undertake to report security issues discovered to the security team
> > >    (security@xxxxxxx) within 3 days of discovery.
> > >  * waive their right to select the disclosure time line. Discoveries
> > >    will follow the default time lines given in the policy.
> > >  * agree to not disclose any issue discovered other than to the
> > >    security team, unless this has been approved by the security team.
> > 
> > Perhaps that sentence above could be changed to:
> > 
> >  * agree to disclose issues discovered to the security team. Unless the
> >    security team has given approval to publicily disclose it.
> 
> I don't think this wording quite so clearly excludes telling your
> friends/blackhats/people in the pub.
> 
> I prefer my original wording.

Perhaps it is me having an English as a secondary language but I had
a rough time understanding 'not', and 'unless' in the sentence.
It made it much easier to understand when I flipped it.

Maybe this:
  * agree to disclose the issues discovered ONLY to the security team.
    Unless the security team has given approval to publicily disclose it.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.