[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

On 19/04/13 20:41, Ian Campbell wrote:

On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:

On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:

On 15/04/13 15:55, Ian Campbell wrote:

Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
burden

I'm just curious, is it really that much of a burden?  If Debian, for
example, already has infrastructure to accept
"<package>@packages.debian.org", how much extra work is it to add
"<package>-security@xxxxxxxxxx"?

For just one $package its probably still a moderate amount of work. I

Ian J pointed out to me IRL that this is the sort of thing alioth (the
Debian Source/FusionForge instance) ought to be able to provide and I
can see an interface which purports to allow me to create a private list
on there (but I've not tried it).

Not sure about other distros but this seems to solve it for Debian at
least.


How about the following:

The addition of individual e-mail addresses for
      an organization in addition to the organizational e-mail address
      will be considered in exceptional circumstances; for example, if
      the maintainer for the xen package is not on the organization's
      security e-mail list, and either maintaining a separate list or
      having those on the list act as an intermediary would be too
      onerous.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.