From: Ian Campbell <ian.campbell@citrix.com>
To: Major Hayden <major.hayden@rackspace.com>,
Lars Kurth <lars.kurth@xen.org>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Jan Beulich <JBeulich@suse.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: Earlier embargoed pre-disclosure without patches
Date: Wed, 27 May 2015 12:39:19 +0100 [thread overview]
Message-ID: <1432726759.14664.204.camel@citrix.com> (raw)
In-Reply-To: <a9018084e3884346a7a9a0dd9db75249@543881-IEXCH01.ror-uc.rackspace.com>
(Just adding Lars so he is aware and can run the formal vote once we
have consensus on a proposal for new text)
On Tue, 2015-05-26 at 15:38 +0000, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> >
> >> > I'm good with that as well. I think we're saying:
> >> >
> >> > if embargo_length < 14d:
> >> > # XSA-133 situation
> >> > send_pre_disclosure_draft()
> >> > wait_for_patches()
> >> > elif embargo_length >= 14d and not patches_ready:
> >> > wait_for_patches()
> >> > else:
> >> > send_pre_disclosure_full()
> >> >
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
>
> Thanks for the help, folks. I've tossed a proposed security policy change into a Github gist[1].
>
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:
>
> In the event that a two week embargo cannot be guaranteed,
> we will send a draft with information about the vulnerability
> to the pre-disclosure list as soon as possible, even if
> patches have not yet been written or tested. An updated
> draft will be sent to the pre-disclosure list once patches
> become available.
>
> I welcome any and all feedback. Thanks!
>
> [1] https://gist.github.com/major/1a4f7ba7787b754845e9
> [2] http://www.xenproject.org/security-policy.html
>
> --
> Major Hayden
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
prev parent reply other threads:[~2015-05-27 11:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 13:03 Earlier embargoed pre-disclosure without patches Major Hayden
2015-05-22 7:40 ` Jan Beulich
2015-05-22 13:14 ` Major Hayden
2015-05-22 14:04 ` Jan Beulich
2015-05-22 14:12 ` Major Hayden
2015-05-26 12:15 ` Stefano Stabellini
2015-05-26 15:38 ` Major Hayden
2015-05-26 16:34 ` Stefano Stabellini
2015-05-26 20:34 ` Major Hayden
2015-05-27 14:07 ` Don Slutz
2015-05-27 17:47 ` Lars Kurth
2015-05-30 19:26 ` Major Hayden
2015-05-27 11:39 ` Ian Campbell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432726759.14664.204.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=JBeulich@suse.com \
--cc=lars.kurth@xen.org \
--cc=major.hayden@rackspace.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.