[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [DRAFT] Coverity Access Policy



On Wed, 2013-09-25 at 10:26 -0400, Konrad Rzeszutek Wilk wrote:
> On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote:
> > On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote:
> > > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote:
> > > > I've tried to codify some of the ideas put forward in the previous
> > > > thread and round out the proposal with some practicalities.
> > > > 
> > > > I was undecided about requiring unanimity (i.e no objections from a
> > > > maintainer) rather than just consensus. Any thoughts on that? A (well
> > > > reasoned) objection should carry a fair bit of weight under these
> > > > circumstances I think.
> > > > 
> > > > 8<--------------------------------
> > > > 
> > > > The Xen Project is registered with the "Coverity Scan" service[0]
> > > > which applies Coverity's static analyser to the Open Source
> > > > projects. The tool can and does find flaws in the source code which
> > > > can include security issues.
> > > > 
> > > > Triaging and proposing solutions for the flaws found by Coverity is a
> > > > useful way in which Community members can contribute to the Xen
> > > > Project. However because the service may discover security issues and
> > > > the Xen Project practices responsible disclosure as described in "Xen
> > > > Security Problem Response Process"[1] the full database of issues
> > > > cannot simply be made public.
> > > > 
> > > > Members of the community may request access to the Coverity database
> > > > under the condition that for any security issues discovered, they:
> > > > 
> > > >  * agree to follow the security response process[1].
> > > >  * undertake to report security issues discovered to the security team
> > > >    (security@xxxxxxx) within 3 days of discovery.
> > > >  * waive their right to select the disclosure time line. Discoveries
> > > >    will follow the default time lines given in the policy.
> > > >  * agree to not disclose any issue discovered other than to the
> > > >    security team, unless this has been approved by the security team.
> > > 
> > > Perhaps that sentence above could be changed to:
> > > 
> > >  * agree to disclose issues discovered to the security team. Unless the
> > >    security team has given approval to publicily disclose it.
> > 
> > I don't think this wording quite so clearly excludes telling your
> > friends/blackhats/people in the pub.
> > 
> > I prefer my original wording.
> 
> Perhaps it is me having an English as a secondary language but I had
> a rough time understanding 'not', and 'unless' in the sentence.
> It made it much easier to understand when I flipped it.
> 
> Maybe this:
>   * agree to disclose the issues discovered ONLY to the security team.
>     Unless the security team has given approval to publicily disclose it.

My issue with your wording was with "publicly".

How about:
  * agree to disclose the issues discovered ONLY to the security team 
    and not to any other party.

If so I'd move it to be the bullet after "undertake to report".

We can leave out the "unless approved bit", we will deal with that on a
case by case basis.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.