[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

>>> On 04.07.12 at 15:30, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> 
>>> wrote:
> Can we just avoid all this and use the security list to communicate that
> a fix is going to be available on a particular hour of a particular day?
> This way all the software vendors and service providers can ready
> themselves to deploy it as soon as they can.
> The fix would be released to the security list and xen-devel at the same
> time.

That would only call for each party trying to create and deliver
their fix themselves and up front. You'd then also have to hide
the issue description. Which would render the security list
redundant.

> In practice, given the terms of the GPL, we cannot restrict anybody on
> the list from releasing the source of the fix before the embargo ends.

Of course. It's an agreement between the list members to not
disclose anything.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.