[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

To: Lars Kurth <lars.kurth.xen@xxxxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Fri, 5 Jun 2015 12:43:04 +0100
Cc: keir Fraser <keir@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Major Hayden <major.hayden@xxxxxxxxxxxxx>, "<xen-devel@xxxxxxxxxxxxx>" <xen-devel@xxxxxxxxxxxxx>, security@xxxxxxxxxxxxxx
Delivery-date: Fri, 05 Jun 2015 11:43:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote:
> > On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
> > 
> > On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> >> In the event that we do not have a patch available two working weeks
> >> before the disclosure date, we aim to send an advisory that reflects
> >> the current state of knowledge to the Xen security pre-disclosure
> >> list. An updated advisory will be published as soon as available.
> > 
> > I'm a bit concerned about the conditions and frequency with which
> > updated advisories would be expected, but not enough to object, +1.
> > 
> > Ian.
> 
> Ian, would expect that this clause will only really kick in in rare 
> situations, as in the Venom case, where we were waiting for a patch from a 
> 3rd party. For example, if the security team almost has an advisory ready 2 
> weeks before the disclosure date, I wouldn't expect that anything would 
> change and you just do what you have always done. I think the phrase "aim to" 
> gives the security team enough flexibility.
> 
> That was my interpretation of the text (or the intention). I just didn't want 
> to over-codify the text. 
> 
> Does this make sense?

Yep, and more importantly I can point to this mail if there is any
disagreement about the spirit of the text ;-)

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
  - From: Lars Kurth

References:
- [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
  - From: Lars Kurth
- Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
  - From: Ian Campbell
- Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
  - From: Lars Kurth

Prev by Date: Re: [Xen-devel] [PATCH] xen/pass-through: ROM BAR handling adjustments
Next by Date: Re: [Xen-devel] OpenStack - Libvirt+Xen CI overview : anyone interested in a walk/through or presentation on how it works
Previous by thread: Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
Next by thread: Re: [Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.