This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Security vulnerability process

To: Mike Bursell <mike.bursell@xxxxxxxxxx>
Subject: Re: [Xen-devel] Security vulnerability process
From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Date: Tue, 26 Jul 2011 18:51:52 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 26 Jul 2011 10:52:45 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <FAFE59DA478A2049938DF14B5C4B90FCB343067736@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization: Citrix Systems, Inc.
References: <FAFE59DA478A2049938DF14B5C4B90FCB343067736@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, 2011-07-26 at 11:25 -0400, Mike Bursell wrote:
> Ian/all -
> >In May I sent out a draft security vulnerability process.  Mostly it
> >seems to have met with approval or at least acquiescence.
> >We received some comments and based on that I have prepared a new
> >final draft.  The changes ought not to be controversial.
> >Please send any final comments by the 28th of July (14 days from
> >now).  Unless there are objections, we will regard the process as
> >formally in force from that date.
> Sorry for the rather last-minute response, but we've been considering 
> this process within Citrix, and although the process seems very clear
> and deals with most cases admirably, we'd like to propose a couple of 
> changes to deal with edge cases, and one other change on top.
> I've included the original mail below, for reference in case people
> don't have it.
> Proposed changes
> i. extend the standard embargo period from one week to two to allow more
> time for response/roll-out.

This seems reasonable enough.

> ii. allow the standard initial week to flex in the case that a fix is
> not immediately found.

I think the existing wording is already pretty clear that these
timespans are a starting point and that it is subject to change if there
is good reason.

> iii. allow the standard embargo period to be extended, by consensus of
> those on the predisclosure list, moderated by the Board, to a longer
> period.  This is to deal with cases where the vulnerability is
> particularly severe and/or the fixes are particularly onerous to roll
> out.  

Ultimately the final determination lies with the discover, who is under
no obligation to abide by any decision made by the board.


Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>