From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [Formal Vote] Changes to Xen Project Security
 Vulnerability Process - Open until June 8th, 2015
Date: Fri, 5 Jun 2015 12:43:04 +0100
Message-ID: <1433504584.7108.234.camel@citrix.com>
References: <35D18A2F-7B4B-47B8-B673-4C049D19344A@gmail.com>
	<1433324122.7108.36.camel@citrix.com>
	<04C3D906-4508-4270-9C81-C625B58A91F6@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <04C3D906-4508-4270-9C81-C625B58A91F6@gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Lars Kurth <lars.kurth.xen@gmail.com>
Cc: keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>, Ian Jackson <Ian.Jackson@eu.citrix.com>, Major Hayden <major.hayden@rackspace.com>, "<xen-devel@lists.xen.org>" <xen-devel@lists.xen.org>, security@xenproject.org
List-Id: xen-devel@lists.xenproject.org

On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote:
> > On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> > 
> > On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> >> In the event that we do not have a patch available two working weeks
> >> before the disclosure date, we aim to send an advisory that reflects
> >> the current state of knowledge to the Xen security pre-disclosure
> >> list. An updated advisory will be published as soon as available.
> > 
> > I'm a bit concerned about the conditions and frequency with which
> > updated advisories would be expected, but not enough to object, +1.
> > 
> > Ian.
> 
> Ian, would expect that this clause will only really kick in in rare situations, as in the Venom case, where we were waiting for a patch from a 3rd party. For example, if the security team almost has an advisory ready 2 weeks before the disclosure date, I wouldn't expect that anything would change and you just do what you have always done. I think the phrase "aim to" gives the security team enough flexibility.
> 
> That was my interpretation of the text (or the intention). I just didn't want to over-codify the text. 
> 
> Does this make sense?

Yep, and more importantly I can point to this mail if there is any
disagreement about the spirit of the text ;-)

Ian.