From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: Earlier embargoed pre-disclosure without patches
Date: Wed, 27 May 2015 12:39:19 +0100
Message-ID: <1432726759.14664.204.camel@citrix.com>
References: <40641a10584944d29adc4009b3f59bf4@543888-IEXCH02.ror-uc.rackspace.com>
	<555EF99B020000780007D0B7@mail.emea.novell.com>
	<fb7a20c9b2024bb38a9663cb4dbde57d@543881-IEXCH01.ror-uc.rackspace.com>
	<555F5381020000780007D52F@mail.emea.novell.com>
	<3ec861b410d8469e8533b55b937310fd@543881-IEXCH01.ror-uc.rackspace.com>
	<alpine.DEB.2.02.1505261312480.27423@kaball.uk.xensource.com>
	<a9018084e3884346a7a9a0dd9db75249@543881-IEXCH01.ror-uc.rackspace.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <a9018084e3884346a7a9a0dd9db75249@543881-IEXCH01.ror-uc.rackspace.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Major Hayden <major.hayden@rackspace.com>, Lars Kurth <lars.kurth@xen.org>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Jan Beulich <JBeulich@suse.com>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

(Just adding Lars so he is aware and can run the formal vote once we
have consensus on a proposal for new text)

On Tue, 2015-05-26 at 15:38 +0000, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> > 
> >> > I'm good with that as well.  I think we're saying:
> >> > 
> >> >   if embargo_length < 14d:
> >> >     # XSA-133 situation
> >> >     send_pre_disclosure_draft()
> >> >     wait_for_patches()
> >> >   elif embargo_length >= 14d and not patches_ready:
> >> >     wait_for_patches()
> >> >   else:
> >> >     send_pre_disclosure_full()
> >> > 
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
> 
> Thanks for the help, folks.  I've tossed a proposed security policy change into a Github gist[1].
> 
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:
> 
>     In the event that a two week embargo cannot be guaranteed,
>     we will send a draft with information about the vulnerability
>     to the pre-disclosure list as soon as possible, even if 
>     patches have not yet been written or tested.  An updated 
>     draft will be sent to the pre-disclosure list once patches
>     become available.
> 
> I welcome any and all feedback.  Thanks!
> 
> [1] https://gist.github.com/major/1a4f7ba7787b754845e9
> [2] http://www.xenproject.org/security-policy.html
> 
> --
> Major Hayden
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel