[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

Lars Kurth writes ("Re: [Xen-devel] Security policy ambiguities - XSA-108 
process post-mortem"):
> On 10 Nov 2014, at 18:01, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> >  The Security Team will impose deployment restrictions only insofar
> >  as it is necessary to prevent the exposure of technicalities (for
> >  example, differences in behaviour) which present a significant risk
> >  of rediscovery of the vulnerability.  Such situations are expected
> >  to be rare.
> +1
> However, I find the text somewhat confusing. "may deploy fixed 
> versions during  the embargo, only with permission from the 
> Security Team" contradicts the other statements, that deploying 
> fixes is OK, unless stated in the  advisory text. 

I will clarify my proposed wording on this point.

> In any case, it is not quite clear what the protocol to get permission 
> is. Or whether, the protocol is "deployment is OK" unless stated 
> otherwise.
> So I think, in the final policy text this should be written from the 
> viewpoint of a pre-disclosure member, not the viewpoint of the 
> Security Team.
> Or is the intention that permission is sought via
> xen-security-issues-discuss@xxxxxxxxxxxxxxxxxxxx? 

No, the permission will be stated in the advisory.  I have reworded
this in my copy of my draft text to make this clearer.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.