[Xen-devel] [PATCH SECURITY-POLICY 0/9] Re: Security policy ambiguities - XSA-108 process post-mortem

[Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>]

Jan Beulich writes ("[Xen-devel] [PATCH SECURITY-POLICY 0/9] Re: Security 
policy ambiguities - XSA-108 process post-mortem"):
> LGTM, but I think there's no point in ack-ing the series as the
> changes need to be voted on anyway.

Indeed.

I will post a v2 with the minor fixes from this thread incorporated.

> One thing I'm missing though is some statement regarding the
> handling of existing list members when the policy changes (while
> the agreement given by them during the application process was
> only for an earlier version).

I don't think this is necessary in this case.  The questions which are
explicitly addressed in the policy now are almost all (a)
clarifications of things which were unclear before and which in the
past the Security Team have had to answer, and (b) resolved in a
permissive way.

The exception is the possibility that deployment of a particular fix
would be forbidden.  But if that were to arise, it would be stated
clearly in the advisory text.  I don't think we need to explicitly
invite predisclosure list members to agree to such a statement, given
the vagueness of the existing policy.

I have deliberately not included a requalification process in this
series of changes.  I would like to leave that to a later update.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel