[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

On 24/04/13 12:02, George Dunlap wrote:
On 19/04/13 20:41, Ian Campbell wrote:
On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:
On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:
On 15/04/13 15:55, Ian Campbell wrote:
Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
I'm just curious, is it really that much of a burden?  If Debian, for
example, already has infrastructure to accept
"<package>@packages.debian.org", how much extra work is it to add
For just one $package its probably still a moderate amount of work. I
Ian J pointed out to me IRL that this is the sort of thing alioth (the
Debian Source/FusionForge instance) ought to be able to provide and I
can see an interface which purports to allow me to create a private list
on there (but I've not tried it).

Not sure about other distros but this seems to solve it for Debian at
How about the following:

The addition of individual e-mail addresses for
        an organization in addition to the organizational e-mail address
        will be considered in exceptional circumstances; for example, if
        the maintainer for the xen package is not on the organization's
        security e-mail list, and either maintaining a separate list or
        having those on the list act as an intermediary would be too


I'd like to get the vote started on this in the next week or two.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.