[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list



On 03/12/12 17:26, Ian Campbell wrote:
On Mon, 2012-12-03 at 17:12 +0000, George Dunlap wrote:
On Tue, Nov 27, 2012 at 12:05 PM, George Dunlap
<George.Dunlap@xxxxxxxxxxxxx> wrote:
         On Mon, Nov 19, 2012 at 5:42 PM, Ian Campbell
         <Ian.Campbell@xxxxxxxxxx> wrote:
> + <p>Here as a rule of thumb, "public hosting
                 provider" means
                 > +    "selling virtualization services to the general
                 public";
                 > +    "large-scale" and "widely deployed" means an
                 installed base of
                 > +    300,000 or more Xen guests.  Other
                 well-established organisations
                 > +    with a mature security response process will be
                 considered on a
                 > +    case-by-case basis.</p>
I agree with Ian that relaxing this for software
                 vendors also seems the
                 correct thing to do.
If we're going to include software vendors, we need some
         simple criteria to define what a "real" software vendor is.
         The idea of asking for a link from cloud providers pointing to
         public rates and a security policy, which Ian Jackson
         proffered, was a good one.  I suppose we could do something
         similar for software providers: a link to a web page with
         either download-able install images, or prices, perhaps?
Thinking a bit more about this one -- if someone had (say) a Debian
derivative that looked like it was basically just a different default
set of packages -- IOW, a very small amount of effort to create and
maintain -- that wouldn't qualify for being on the list, right?  So it
seems to me like "amount of effort spent" is kind of what we're
looking for, right?  I mean, if 2-3 developers are spending 3-4 hours
per week each working on something, then it's clearly a project we
could consider, even if it's really small.  I'm sure that would
include QubesOS, ArchLinux, Edubuntu, Scientific Linux, &c &c.  But if
it's one guy spending half an hour every six months, he doesn't really
need to be on the list I don't think.
Is "deviation from upstream" a factor at all?

e.g. is a Debian derivative just ships the Xen bits direct from Debian
then there doesn't seem to be much call for them to be on the list, they
can simply just ship the security update too. This would be true even if
they were dozens of engineers working full time.

I was going to say that if they're not informed, there may be a longer turn-around time; but providers on the list are explicitly allowed to say that there *is* a vulnerability, and *when* the disclosure is scheduled to be, so if it's just a matter of making the same bits available that Debian has made available, it shouldn't be too long for those who are prepared.

But how much extra work would you need to do to qualify you for the list? Suppose there's a derivative with a single additional patch -- that will still require pulling in the source, potentially porting the patch, doing a re-build, and some basic re-testing -- that whole thing could take a day even for a well-funded project.

If the criteria is so small, and so easy to qualify (just re-build the package basically), I'm not sure it's so useful to mention it.

I went looking for the linux-distros list inclusion criteria, in the
hopes we could just piggy back off that, but I can't find it right now.

I've got a draft I think is helpful; I'll send a v2 and people can see what they think of it.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.