Xen project Mailing List

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

To: George Dunlap <george.dunlap@xxxxxxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Wed, 1 May 2013 16:37:54 +0100

Cc: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 01 May 2013 15:38:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, 2013-05-01 at 16:31 +0100, George Dunlap wrote: > On 24/04/13 12:02, George Dunlap wrote: > > On 19/04/13 20:41, Ian Campbell wrote: > >> On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote: > >>> On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote: > >>>> On 15/04/13 15:55, Ian Campbell wrote: > >>>>> Asking them to setup xen-security-team@xxxxxxxxxx seems a bit of a > >>>>> burden > >>>> I'm just curious, is it really that much of a burden? If Debian, for > >>>> example, already has infrastructure to accept > >>>> "<package>@packages.debian.org", how much extra work is it to add > >>>> "<package>-security@xxxxxxxxxx"? > >>> For just one $package its probably still a moderate amount of work. I > >> Ian J pointed out to me IRL that this is the sort of thing alioth (the > >> Debian Source/FusionForge instance) ought to be able to provide and I > >> can see an interface which purports to allow me to create a private list > >> on there (but I've not tried it). > >> > >> Not sure about other distros but this seems to solve it for Debian at > >> least. > > How about the following: > > > > The addition of individual e-mail addresses for > > an organization in addition to the organizational e-mail address > > will be considered in exceptional circumstances; for example, if > > the maintainer for the xen package is not on the organization's > > security e-mail list, and either maintaining a separate list or > > having those on the list act as an intermediary would be too > > onerous. > > Ping? Sorry, thought I'd replied. Given that Ian J has pointed me to Alioth private lists I'm no longer concerned about this from Debian's PoV. I don't really know if this is going to be an issue for other distros or not -- I suppose I'm inclined to feel that if Debian can manage it so can they. Ian _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.