[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217


  • To: xen-devel@xxxxxxxxxxxxx
  • From: Thomas Goirand <thomas@xxxxxxxxxx>
  • Date: Thu, 28 Jun 2012 02:07:25 +0800
  • Delivery-date: Wed, 27 Jun 2012 18:07:54 +0000
  • Domainkey-signature: a=rsa-sha1; c=simple; d=goirand.fr; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=postfix; b=mQy p4ca+dQf+PBJ9/nR9YmpMq61qxR8a576jrPK8IjwgzHpfYGKrCyqLWPLFHbX/bGB u+aGxF2eLQf8PlmJJDg4R3B7pDqpEXlAapz7x32wjHlbverkZv01N+Rbmc1wh+Yj OGmvjb0w3LCvuJBPB2tOkBcXLd+wvcydoRkFu+G0=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi Ian,

Thanks for discussing this in a public way!

On 06/20/2012 02:16 AM, Ian Jackson wrote:
> We had one request from a public Xen cloud provider to be provided
> with predisclosure information.  However it appeared to us that they
> didn't meet the size threshold in the process document.
>
> The size threshold is of course open to discussion.
>   
I find the concept of "Xen Cloud provider size threshold"
quite anti competitive. Why would a bigger provider, would
be offered a substantial advantage over the smaller one?

On 06/20/2012 02:16 AM, Ian Jackson wrote:
> One particular issue here which also relates to the predisclosure
> membership criteria, is whether large indirect consumers of Xen should
> be on the predisclosure list in their own right.  That would allow
> them to deploy the fix before the embargo date.  It would also allow
> them to prepare for testing and deployment, before the fix is
> available from their vendor (who would in this scenario also be
> entitled to be a predisclosure list member).
>   

And other hosting providers not in the list? They can be hacked and die,
while the big ones are safe?

Why wouldn't a smaller company know? Can *I* be in the predisclosure list?
If you reject me from such list, why? What's the procedure to be on such
list?

On 06/20/2012 05:45 PM, George Dunlap wrote:
> The only way this would work is if the predisclosure list consisted
> exclusively of software providers, and specifically excluded service
> providers.
I agree, though you might have corner cases.

What if you are *both* software and service provider (eg: I'm working on
Debian and XCP, and my small company provides a hosted Xen service)?

Cheers,

Thomas


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.