[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update



On 24/04/13 12:02, George Dunlap wrote:
On 19/04/13 20:41, Ian Campbell wrote:
On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:
On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:
On 15/04/13 15:55, Ian Campbell wrote:
Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
burden
I'm just curious, is it really that much of a burden?  If Debian, for
example, already has infrastructure to accept
"<package>@packages.debian.org", how much extra work is it to add
"<package>-security@xxxxxxxxxx"?
For just one $package its probably still a moderate amount of work. I
Ian J pointed out to me IRL that this is the sort of thing alioth (the
Debian Source/FusionForge instance) ought to be able to provide and I
can see an interface which purports to allow me to create a private list
on there (but I've not tried it).

Not sure about other distros but this seems to solve it for Debian at
least.
How about the following:

The addition of individual e-mail addresses for
        an organization in addition to the organizational e-mail address
        will be considered in exceptional circumstances; for example, if
        the maintainer for the xen package is not on the organization's
        security e-mail list, and either maintaining a separate list or
        having those on the list act as an intermediary would be too
        onerous.

Ping?

I'd like to get the vote started on this in the next week or two.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.