[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] [Xen-devel] Security disclosure process discussion update
On Mon, Dec 17, 2012 at 12:58:13PM +0000, George Dunlap wrote: > After concluding our poll [1] about changes to the security > discussion, we determined that "Pre-disclosure to software vendors and > a wide set of users" was probably the best fit for the community. A > set of concrete changes to the policy have now been discussed on > xen-devel [2] [3], and we seem to have converged on something everyone > finds acceptable. > > We are now presenting these changes for public review. The purpose of > this review process is to allow feedback on the text which will be > voted on, in accordance to the Xen.org governance procedure [3]. Our > plan is to leave this up for review until the third week in January. > Any substantial updates will be mentioned on the blog and will extend > the review time. > > All feedback and discussion should happen in public on the xen-devel > mailing list. If you have any suggestions for how to improve the > proposal, please e-mail the list, and cc George Dunlap (george dot > dunlap at citrix.com). > > = Summary of the updates = > > As discussed on the xen-devel mailing list, expand eligibility of the > pre-disclosure list to include any public hosting provider, as well > as software project: > * Change "Large hosting providers" to "Public hosting providers" > * Remove "widely-deployed" from vendors and distributors > * Add rules of thumb for what constitutes "genuine" > * Add an itemized list of information to be included in the application, > to make expectations clear and (hopefully) applications more streamlined. > > The first will allow hosting providers of any size to join. > > The second will allow software projects and vendors of any size to join. > > The third and fourth will help describe exactly what criteria will be used > to > determine eligibility for 1 and 2. > > Additionally, this proposal adds the following requirements: > * Applicants and current members must use an e-mail alias, not an > individual's > e-mail So if we use an mailing list internally.. > * Applicants and current members must submit a statement saying that they > have > read, understand, and will abide by this process document. Are the folks on the internal mailing list bound by this as well? Meaning that if a new person would like to join the internal mailing list they need to have read, understood, etc the process document? I would presume so, but you are not stating it here nor: http://wiki.xen.org/wiki/Security_vulnerability_process_draft So what is driving the 'alias' requirement? _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |