[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security support scope (apropos of Xen and CNA)

>>> On 04.05.17 at 14:53, <ian.jackson@xxxxxxxxxxxxx> wrote:
> To become a CNA (CVE Numbering Authority), which we would like to do,
> we need to provide MITRE's CNA programme with a definition of the
> scope of our CNA.  That should be the scope of our general security
> support, clearly.
> At the moment we don't seem to have this written down in a single
> clear document.  I am aware of the following places which can contain
> information about security support (normally, in the form of
> statements saying that certain things are not supported):
>  * https://wiki.xenproject.org/wiki/Xen_Project_Release_Features has a
>    table of versions with security support, and information about some
>    features.
>  * xen.git:docs/misc/qemu-xen-security, limits security support to
>    some configurations.
>  * xen.git:MAINTAINERS might in principle have a status not implying
>    security support.
>  * Docs for an individual feature (eg in xl docs) might say that the
>    feature is not advised, or not supported, or something.
>  * Previous XSA advisories might withdraw support.
> This diversity of information sources is rather unsatisfactory.
> I think we need to at least reduce the number of different information
> sources.  Also we need an overview document which points to them all.
> Where should this overview document be ?  Which of the above sources
> should be coalesced into which others ?

Generally the (or a new) wiki page would seem the best place to me,
if only there weren't some pretty fine grained restrictions, like the
use of certain command line options rendering the whole thing
unsupported. For that specific example, it would seem to me that
only the command line doc itself would be a suitable place (and we'd
basically have to go through and add a warning for every such
option). Bottom line - I'm not sure a single place will do, but of course
one central place could/should xref all other places with additional


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.