[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem



On 10 Oct 2014, at 16:47, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> 
>>> Predisclosure list memembership
> 
> This whole final section I completely agree with.
> 
> There's one more thing I thought of btw: When we change the
> policy following whatever community input we gathered (not just
> now, but also in the future), people currently on the pre-disclosure
> list may (at least theoretically) end up no longer qualifying for
> being on the list. Shouldn't we
> - add some kind of statement to the effect of implicit agreement
>  to changed terms,
> - provide means for list members to be removed other than by
>  them asking for it?
> 
> Jan

I also was wondering whether it would make sense to put a time-limit on 
applications. For example, we could say that processing an application will 
take 2 weeks. By doing so, we avoid having to handle applications as a response 
to media speculation. If we get an application wrong, and allow somebody wrong 
on the list who then discloses information related to an embargo, we would 
create risks for others already on the list. This would be the worst possible 
outcome for the project. Just a thought

Regards
Lars


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.