From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: Re: Security policy ambiguities - XSA-108 process post-mortem Date: Mon, 10 Nov 2014 12:35:20 +0000 Message-ID: <1415622920.25176.8.camel@citrix.com> References: <21557.24142.873029.148164@mariner.uk.xensource.com> <21557.50031.783473.873273@chiark.greenend.org.uk> <1413894766.23337.34.camel@citrix.com> <21586.10214.683512.296628@chiark.greenend.org.uk> <20141031224036.GA16669@u109add4315675089e695.ant.amazon.com> <1415186272.15317.5.camel@citrix.com> <0E6C0A5F-0FE6-42A6-BD57-60ADB3D21B82@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XnoBo-0002fY-RE for xen-devel@lists.xenproject.org; Mon, 10 Nov 2014 12:35:24 +0000 In-Reply-To: <0E6C0A5F-0FE6-42A6-BD57-60ADB3D21B82@gmail.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Lars Kurth Cc: Matt Wilson , Ian Jackson , xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org On Thu, 2014-11-06 at 16:01 +0000, Lars Kurth wrote: > On 5 Nov 2014, at 11:17, Ian Campbell wrote: > > > On Fri, 2014-10-31 at 15:40 -0700, Matt Wilson wrote: > >> I think that we should reduce any burden on the security team by > >> making this a community decision that is discussed in public, rather > >> than something that is handled exclusively in a closed manner as it is > >> today. This way others who are active community participants can help > >> with the decision making process can do the investigation and weigh in > >> on the risk/benefit tradeoff to the security process and the > >> project. See Message-ID: <20141021143053.GA22864@u109add4315675089e695.ant.amazon.com> > >> or [1] if you are willing to visit a URL. ;-) > >> > >> There's been a bit of talk about "delay" and so on. I'd rather not set > >> expectations on how long the processing a petition to be added to the > >> predisclosure list should take. Building community consensus takes > >> time, just as it does for > > > > I think regardless of who is processing the applications what is more > > important is to have a concrete set of *objective* criteria. Anyone who > > demonstrates that they meet those criteria must be allowed to join. > > I don't think that having applications discussed and processed on a > dedicated public list and objective criteria are mutually exclusive. I didn't say otherwise. In fact I said the opposite. My concern was about the criteria being objective and not subjective, regardless of who is processing them. Nobody should be doing a "risk/benefit tradeoff to the security process and the project" when processing an application. They should be going through a list ticking boxes to show that the applicant has(n't) met various criteria. Ian.