Xen project Mailing List

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

To: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

From: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>

Date: Fri, 16 Jan 2015 19:23:48 +0000

Delivery-date: Fri, 16 Jan 2015 19:23:56 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Lars Kurth writes ("Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem"): > On 10 Nov 2014, at 18:01, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote: ... > > The Security Team will impose deployment restrictions only insofar > > as it is necessary to prevent the exposure of technicalities (for > > example, differences in behaviour) which present a significant risk > > of rediscovery of the vulnerability. Such situations are expected > > to be rare. > > +1 > > However, I find the text somewhat confusing. "may deploy fixed > versions during the embargo, only with permission from the > Security Team" contradicts the other statements, that deploying > fixes is OK, unless stated in the advisory text. I will clarify my proposed wording on this point. > In any case, it is not quite clear what the protocol to get permission > is. Or whether, the protocol is "deployment is OK" unless stated > otherwise. > > So I think, in the final policy text this should be written from the > viewpoint of a pre-disclosure member, not the viewpoint of the > Security Team. > > Or is the intention that permission is sought via > xen-security-issues-discuss@xxxxxxxxxxxxxxxxxxxx? No, the permission will be stated in the advisory. I have reworded this in my copy of my draft text to make this clearer. Thanks, Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.