|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem
>>> On 09.10.14 at 13:24, <George.Dunlap@xxxxxxxxxxxxx> wrote: > I think that the security team should attempt to determine whether > pre-disclosure deployment might give away too much information, and > specifically say in each advisory whether early deployment is allowed > or not, potentially with specifications about what kind of deployments > will be allowed (if necessary). Most of the time this will just be, > "Rebooting servers to deploy this fix is allowed", but it leaves the > option open to change it if necessary. We're sometimes already struggling determining the set of consequences a certain issue may have (see statements like "... cannot be excluded"). I think anticipating what sufficiently "qualified" people may be able to guess from early deployment would end up being rather difficult. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |