[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote: > > On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote: > > > > On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote: > >> In the event that we do not have a patch available two working weeks > >> before the disclosure date, we aim to send an advisory that reflects > >> the current state of knowledge to the Xen security pre-disclosure > >> list. An updated advisory will be published as soon as available. > > > > I'm a bit concerned about the conditions and frequency with which > > updated advisories would be expected, but not enough to object, +1. > > > > Ian. > > Ian, would expect that this clause will only really kick in in rare > situations, as in the Venom case, where we were waiting for a patch from a > 3rd party. For example, if the security team almost has an advisory ready 2 > weeks before the disclosure date, I wouldn't expect that anything would > change and you just do what you have always done. I think the phrase "aim to" > gives the security team enough flexibility. > > That was my interpretation of the text (or the intention). I just didn't want > to over-codify the text. > > Does this make sense? Yep, and more importantly I can point to this mail if there is any disagreement about the spirit of the text ;-) Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |