Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

[Bastian Blank <bastian@xxxxxxxxxxxx>]

On Thu, Oct 09, 2014 at 12:06:23AM +0100, Ian Jackson wrote:
>   The -discuss list is moderated by the Xen Project Security Team.
>   Announcements of private availability of fixed versions, and
>   technical messages about embargoed advisories, will be approved.
>   Messages dealing with policy matters will be rejected with a
>   reference to the Security Team contact address and/or public Xen
>   mailing lists.

Why do you think such a hypotetical list needs to be moderated?

>   List members who are service providers may deploy fixed versions
>   during the embargo, PROVIDED THAT any action taken by the service
>   provider gives no indication (to their users or anyone else) as to
>   the nature of the vulnerability.

Why this constraint to "who are service providers"?

> The Security Team should be forbidden from trying to hunt down
> eligibility information etc. and should instead be mandated to reject
> incomplete requests.
>   The Security Team has no discretion to accept applications which do
>   not provide all of the information required above.

Is there are particular reason why do you want to restrict them?

Bastian

-- 
You!  What PLANET is this!
                -- McCoy, "The City on the Edge of Forever", stardate 3134.0

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel