[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

On Wed, 2013-05-01 at 16:31 +0100, George Dunlap wrote:
> On 24/04/13 12:02, George Dunlap wrote:
> > On 19/04/13 20:41, Ian Campbell wrote:
> >> On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote:
> >>> On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote:
> >>>> On 15/04/13 15:55, Ian Campbell wrote:
> >>>>> Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a
> >>>>> burden
> >>>> I'm just curious, is it really that much of a burden?  If Debian, for
> >>>> example, already has infrastructure to accept
> >>>> "<package>@packages.debian.org", how much extra work is it to add
> >>>> "<package>-security@xxxxxxxxxx"?
> >>> For just one $package its probably still a moderate amount of work. I
> >> Ian J pointed out to me IRL that this is the sort of thing alioth (the
> >> Debian Source/FusionForge instance) ought to be able to provide and I
> >> can see an interface which purports to allow me to create a private list
> >> on there (but I've not tried it).
> >>
> >> Not sure about other distros but this seems to solve it for Debian at
> >> least.
> > How about the following:
> >
> > The addition of individual e-mail addresses for
> >         an organization in addition to the organizational e-mail address
> >         will be considered in exceptional circumstances; for example, if
> >         the maintainer for the xen package is not on the organization's
> >         security e-mail list, and either maintaining a separate list or
> >         having those on the list act as an intermediary would be too
> >         onerous.
> Ping?

Sorry, thought I'd replied.

Given that Ian J has pointed me to Alioth private lists I'm no longer
concerned about this from Debian's PoV. I don't really know if this is
going to be an issue for other distros or not -- I suppose I'm inclined
to feel that if Debian can manage it so can they.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.