From: Ian Campbell <ian.campbell@citrix.com>
To: Lars Kurth <lars.kurth.xen@gmail.com>
Cc: keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Major Hayden <major.hayden@rackspace.com>,
"<xen-devel@lists.xen.org>" <xen-devel@lists.xen.org>,
security@xenproject.org
Subject: Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015
Date: Fri, 5 Jun 2015 12:43:04 +0100 [thread overview]
Message-ID: <1433504584.7108.234.camel@citrix.com> (raw)
In-Reply-To: <04C3D906-4508-4270-9C81-C625B58A91F6@gmail.com>
On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote:
> > On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> >
> > On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> >> In the event that we do not have a patch available two working weeks
> >> before the disclosure date, we aim to send an advisory that reflects
> >> the current state of knowledge to the Xen security pre-disclosure
> >> list. An updated advisory will be published as soon as available.
> >
> > I'm a bit concerned about the conditions and frequency with which
> > updated advisories would be expected, but not enough to object, +1.
> >
> > Ian.
>
> Ian, would expect that this clause will only really kick in in rare situations, as in the Venom case, where we were waiting for a patch from a 3rd party. For example, if the security team almost has an advisory ready 2 weeks before the disclosure date, I wouldn't expect that anything would change and you just do what you have always done. I think the phrase "aim to" gives the security team enough flexibility.
>
> That was my interpretation of the text (or the intention). I just didn't want to over-codify the text.
>
> Does this make sense?
Yep, and more importantly I can point to this mail if there is any
disagreement about the spirit of the text ;-)
Ian.
next prev parent reply other threads:[~2015-06-05 11:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-01 9:36 [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015 Lars Kurth
2015-06-01 17:59 ` Konrad Rzeszutek Wilk
2015-06-03 9:35 ` Ian Campbell
2015-06-05 11:32 ` Lars Kurth
2015-06-05 11:43 ` Ian Campbell [this message]
2015-06-08 10:08 ` Lars Kurth
2015-06-08 10:23 ` Jan Beulich
2015-06-08 10:40 ` Ian Jackson
2015-06-09 11:06 ` Lars Kurth
2015-06-09 12:09 ` Major Hayden
2015-06-04 13:21 ` Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1433504584.7108.234.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=lars.kurth.xen@gmail.com \
--cc=major.hayden@rackspace.com \
--cc=security@xenproject.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.