[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

On Wed, 4 Jul 2012, Jan Beulich wrote:
> >>> On 04.07.12 at 15:30, Stefano Stabellini 
> >>> <stefano.stabellini@xxxxxxxxxxxxx> wrote:
> > Can we just avoid all this and use the security list to communicate that
> > a fix is going to be available on a particular hour of a particular day?
> > This way all the software vendors and service providers can ready
> > themselves to deploy it as soon as they can.
> > The fix would be released to the security list and xen-devel at the same
> > time.
> That would only call for each party trying to create and deliver
> their fix themselves and up front. You'd then also have to hide
> the issue description.

Yes, we would have to hide the issue description.

> Which would render the security list redundant.

It would be a very different kind of security list.

> > In practice, given the terms of the GPL, we cannot restrict anybody on
> > the list from releasing the source of the fix before the embargo ends.
> Of course. It's an agreement between the list members to not
> disclose anything.

Yes, but an agreement that cannot be legally enforced.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.