[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Security support scope (apropos of Xen and CNA)

To become a CNA (CVE Numbering Authority), which we would like to do,
we need to provide MITRE's CNA programme with a definition of the
scope of our CNA.  That should be the scope of our general security
support, clearly.

At the moment we don't seem to have this written down in a single
clear document.  I am aware of the following places which can contain
information about security support (normally, in the form of
statements saying that certain things are not supported):

 * https://wiki.xenproject.org/wiki/Xen_Project_Release_Features has a
   table of versions with security support, and information about some

 * xen.git:docs/misc/qemu-xen-security, limits security support to
   some configurations.

 * xen.git:MAINTAINERS might in principle have a status not implying
   security support.

 * Docs for an individual feature (eg in xl docs) might say that the
   feature is not advised, or not supported, or something.

 * Previous XSA advisories might withdraw support.

This diversity of information sources is rather unsatisfactory.

I think we need to at least reduce the number of different information
sources.  Also we need an overview document which points to them all.

Where should this overview document be ?  Which of the above sources
should be coalesced into which others ?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.