[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

>>> On 04.07.12 at 14:56, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote:
> On Wed, Jul 4, 2012 at 1:52 PM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>> Being on the list doesn't make you non-susceptible. Such an
>> approach, imo, would need to imply permission to anyone on
>> the list to deploy a fix as soon as it is available. But since
>> distros can't ship binaries without also making sources available,
>> that's a contradiction by itself.
> Yes, preventing vendors from shipping until the public disclosure date
> would discriminates against "vendor-supplied" users in favor of
> "self-supplied" users (i.e., those who download and build their own
> directly from xen.org).
> Would it work to say that vendors can ship to anyone on the list?  In
> theory that could work, but in practice I think most distros would
> rather just release once and be done with it, rather than dealing with
> a 2-stage process.

So would I think.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.