[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015



> On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
> 
> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
>> In the event that we do not have a patch available two working weeks
>> before the disclosure date, we aim to send an advisory that reflects
>> the current state of knowledge to the Xen security pre-disclosure
>> list. An updated advisory will be published as soon as available.
> 
> I'm a bit concerned about the conditions and frequency with which
> updated advisories would be expected, but not enough to object, +1.
> 
> Ian.

Ian, would expect that this clause will only really kick in in rare situations, 
as in the Venom case, where we were waiting for a patch from a 3rd party. For 
example, if the security team almost has an advisory ready 2 weeks before the 
disclosure date, I wouldn't expect that anything would change and you just do 
what you have always done. I think the phrase "aim to" gives the security team 
enough flexibility.

That was my interpretation of the text (or the intention). I just didn't want 
to over-codify the text. 

Does this make sense?

Regards
Lars


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.