[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

On Thu, Oct 9, 2014 at 12:06 AM, Ian Jackson
<ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Xen Project Security Team writes ("Security policy ambiguities - XSA-108 
> process post-mortem"):
>> We welcome any feedback on our decisions and we look forward to
>> clearer directions from the community.
> Here is my own, purely personal, response with answers to the
> questions asked.  NB that this is not the opinion of Citrix nor of
> the Xen Project Security Team.  But I thought I would at least write
> down something concrete for people to argue about.
>> Sharing amongst predisclosure list members
> I think that the answer should be `yes', in principle.  There seems
> little point forbidding this.
> Allowing greater sharing would perhaps allow problems with patches to
> be discovered (and the revised patches developed) more easily.  We
> should provide a clear channel for collaboration between predisclosure
> list members.
> Therefore, the policy should be extended by adding, before
> `Organisations who meet the criteria', the new section:
>   List members are allowed to share fixes to embargoed issues,
>   analysis, etc., with the security teams of other list members.
>   Technical measures must be taken to prevents non-list-member
>   organisations, or unauthorised staff in list-member organisations,
>   from obtaining the embargoed materials.
>   The Xen Project provides the mailing list
>      xen-security-issues-discuss@xxxxxxxxxxxxxxxxxxxx
>   for this purpose.  List members are encouraged to use it but
>   may share with other list members' security teams via other
>   channels.
>   The -discuss list's distribution is identical to that of the primary
>   predisclosure list xen-security-issues.  Recipient organisations who
>   do not wish to receive all of the traffic on -discuss should use
>   recipient-side email filtering based on the provided `List-Id'.
>   The -discuss list is moderated by the Xen Project Security Team.
>   Announcements of private availability of fixed versions, and
>   technical messages about embargoed advisories, will be approved.
>   Messages dealing with policy matters will be rejected with a
>   reference to the Security Team contact address and/or public Xen
>   mailing lists.
> (That list obviously doesn't exist yet, but if the policy is approved
> we will create it.)
> One reason for permitting this is that we want fairness between
> service providers who use their own versions of Xen, and ones who use
> a version from a software provider.  Both kinds of service provider
> should be able to test the fix during the embargo.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.