[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:
> On 15/04/13 15:55, Ian Campbell wrote:
> >
> > Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
> > burden
> I'm just curious, is it really that much of a burden?  If Debian, for 
> example, already has infrastructure to accept 
> "<package>@packages.debian.org", how much extra work is it to add 
> "<package>-security@xxxxxxxxxx"?

For just one $package its probably still a moderate amount of work. I
would guess that it would require coordination with the DSA (Debian Sys
Admins, or whoever controls mx.debian.org and mx.packages.debian.org) to
setup the new alias and track/manage who the real maintainers is/are for
$package over time and changes etc. Remember that part of the problem
here is that the maintainer field can be and for better or worse of is
set to a public mailing list so there would need to be some rounds of
discussion etc about what the correct membership of the list should be
(use the changed-by field, use the uploaders field?). Packages are not
necessarily very consistent in these areas...

Now maybe the generic any $package variant of that would be a useful
thing for a distro to have but that would be even more work to actually
make it useful and it would be hard to guarantee that it remained
private for any given package (which somewhat defeats the purpose!)


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.