[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [DRAFT] Coverity Access Policy
On Wed, Sep 25, 2013 at 03:56:55PM +0100, Ian Campbell wrote: > On Wed, 2013-09-25 at 10:26 -0400, Konrad Rzeszutek Wilk wrote: > > On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote: > > > On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote: > > > > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote: > > > > > I've tried to codify some of the ideas put forward in the previous > > > > > thread and round out the proposal with some practicalities. > > > > > > > > > > I was undecided about requiring unanimity (i.e no objections from a > > > > > maintainer) rather than just consensus. Any thoughts on that? A (well > > > > > reasoned) objection should carry a fair bit of weight under these > > > > > circumstances I think. > > > > > > > > > > 8<-------------------------------- > > > > > > > > > > The Xen Project is registered with the "Coverity Scan" service[0] > > > > > which applies Coverity's static analyser to the Open Source > > > > > projects. The tool can and does find flaws in the source code which > > > > > can include security issues. > > > > > > > > > > Triaging and proposing solutions for the flaws found by Coverity is a > > > > > useful way in which Community members can contribute to the Xen > > > > > Project. However because the service may discover security issues and > > > > > the Xen Project practices responsible disclosure as described in "Xen > > > > > Security Problem Response Process"[1] the full database of issues > > > > > cannot simply be made public. > > > > > > > > > > Members of the community may request access to the Coverity database > > > > > under the condition that for any security issues discovered, they: > > > > > > > > > > * agree to follow the security response process[1]. > > > > > * undertake to report security issues discovered to the security team > > > > > (security@xxxxxxx) within 3 days of discovery. > > > > > * waive their right to select the disclosure time line. Discoveries > > > > > will follow the default time lines given in the policy. > > > > > * agree to not disclose any issue discovered other than to the > > > > > security team, unless this has been approved by the security team. > > > > > > > > Perhaps that sentence above could be changed to: > > > > > > > > * agree to disclose issues discovered to the security team. Unless the > > > > security team has given approval to publicily disclose it. > > > > > > I don't think this wording quite so clearly excludes telling your > > > friends/blackhats/people in the pub. > > > > > > I prefer my original wording. > > > > Perhaps it is me having an English as a secondary language but I had > > a rough time understanding 'not', and 'unless' in the sentence. > > It made it much easier to understand when I flipped it. > > > > Maybe this: > > * agree to disclose the issues discovered ONLY to the security team. > > Unless the security team has given approval to publicily disclose it. > > My issue with your wording was with "publicly". > > How about: > * agree to disclose the issues discovered ONLY to the security team > and not to any other party. > > If so I'd move it to be the bullet after "undertake to report". > > We can leave out the "unless approved bit", we will deal with that on a > case by case basis. I like that. Thank you! > > Ian. > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |