[Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Lars Kurth]

[-- Attachment #1.1: Type: text/plain, Size: 1790 bytes --]

Hi,

in accordance with the project's governance, I would like to put the following text changes to a committer vote (committers are on the TO list). The discussion leading to the changes can be found at http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02881.html <http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02881.html>

Please vote +1, 0, -1 with explanation as usual. You can reply publicly or in private and I will collate results on the 9th.

Regards
Lars

Old text in http://www.xenproject.org/security-policy.html <http://www.xenproject.org/security-policy.html>
---
Specific process
...
4. Advisory pre-release: 

This occurs only if the advisory is embargoed (ie, the problem is not already public): 

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 

For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.
---

Proposed text (this adds an additional paragraph, while  leaving the existing text as-is):
---
Specific process
...
4. Advisory pre-release: 

This occurs only if the advisory is embargoed (ie, the problem is not already public): 

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 

In the event that we do not have a patch available two working weeks before the disclosure date, we aim to send an advisory that reflects the current state of knowledge to the Xen security pre-disclosure list. An updated advisory will be published as soon as available.

For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.
---

[-- Attachment #1.2: Type: text/html, Size: 2896 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Konrad Rzeszutek Wilk]

On Mon, Jun 01, 2015 at 10:36:25AM +0100, Lars Kurth wrote:
> Hi,
> 
> in accordance with the project's governance, I would like to put the following text changes to a committer vote (committers are on the TO list). The discussion leading to the changes can be found at http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02881.html <http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02881.html>
> 
> Please vote +1, 0, -1 with explanation as usual. You can reply publicly or in private and I will collate results on the 9th.

+1
> 
> Regards
> Lars
> 
> Old text in http://www.xenproject.org/security-policy.html <http://www.xenproject.org/security-policy.html>
> ---
> Specific process
> ...
> 4. Advisory pre-release: 
> 
> This occurs only if the advisory is embargoed (ie, the problem is not already public): 
> 
> As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 
> 
> For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.
> ---
> 
> Proposed text (this adds an additional paragraph, while  leaving the existing text as-is):
> ---
> Specific process
> ...
> 4. Advisory pre-release: 
> 
> This occurs only if the advisory is embargoed (ie, the problem is not already public): 
> 
> As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 
> 
> In the event that we do not have a patch available two working weeks before the disclosure date, we aim to send an advisory that reflects the current state of knowledge to the Xen security pre-disclosure list. An updated advisory will be published as soon as available.
> 
> For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.
> ---

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Ian Campbell]

On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> In the event that we do not have a patch available two working weeks
> before the disclosure date, we aim to send an advisory that reflects
> the current state of knowledge to the Xen security pre-disclosure
> list. An updated advisory will be published as soon as available.

I'm a bit concerned about the conditions and frequency with which
updated advisories would be expected, but not enough to object, +1.

Ian.

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Lars Kurth]

> On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> 
> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
>> In the event that we do not have a patch available two working weeks
>> before the disclosure date, we aim to send an advisory that reflects
>> the current state of knowledge to the Xen security pre-disclosure
>> list. An updated advisory will be published as soon as available.
> 
> I'm a bit concerned about the conditions and frequency with which
> updated advisories would be expected, but not enough to object, +1.
> 
> Ian.

Ian, would expect that this clause will only really kick in in rare situations, as in the Venom case, where we were waiting for a patch from a 3rd party. For example, if the security team almost has an advisory ready 2 weeks before the disclosure date, I wouldn't expect that anything would change and you just do what you have always done. I think the phrase "aim to" gives the security team enough flexibility.

That was my interpretation of the text (or the intention). I just didn't want to over-codify the text. 

Does this make sense?

Regards
Lars

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Ian Campbell]

On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote:
> > On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> > 
> > On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> >> In the event that we do not have a patch available two working weeks
> >> before the disclosure date, we aim to send an advisory that reflects
> >> the current state of knowledge to the Xen security pre-disclosure
> >> list. An updated advisory will be published as soon as available.
> > 
> > I'm a bit concerned about the conditions and frequency with which
> > updated advisories would be expected, but not enough to object, +1.
> > 
> > Ian.
> 
> Ian, would expect that this clause will only really kick in in rare situations, as in the Venom case, where we were waiting for a patch from a 3rd party. For example, if the security team almost has an advisory ready 2 weeks before the disclosure date, I wouldn't expect that anything would change and you just do what you have always done. I think the phrase "aim to" gives the security team enough flexibility.
> 
> That was my interpretation of the text (or the intention). I just didn't want to over-codify the text. 
> 
> Does this make sense?

Yep, and more importantly I can point to this mail if there is any
disagreement about the spirit of the text ;-)

Ian.

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Lars Kurth]

> On 5 Jun 2015, at 12:43, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> 
> On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote:
>>> On 3 Jun 2015, at 10:35, Ian Campbell <Ian.Campbell@citrix.com> wrote:
>>> 
>>> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
>>>> In the event that we do not have a patch available two working weeks
>>>> before the disclosure date, we aim to send an advisory that reflects
>>>> the current state of knowledge to the Xen security pre-disclosure
>>>> list. An updated advisory will be published as soon as available.
>>> 
>>> I'm a bit concerned about the conditions and frequency with which
>>> updated advisories would be expected, but not enough to object, +1.
>>> 
>>> Ian.
>> 
>> Ian, would expect that this clause will only really kick in in rare situations, as in the Venom case, where we were waiting for a patch from a 3rd party. For example, if the security team almost has an advisory ready 2 weeks before the disclosure date, I wouldn't expect that anything would change and you just do what you have always done. I think the phrase "aim to" gives the security team enough flexibility.
>> 
>> That was my interpretation of the text (or the intention). I just didn't want to over-codify the text. 
>> 
>> Does this make sense?
> 
> Yep, and more importantly I can point to this mail if there is any
> disagreement about the spirit of the text ;-)
> 
> Ian.

Any more votes from committers? 
As far was I can see we had Konrad, Ian C and Tim voting.
Ian J was on vacation last week and I forgot to CC Jan (apologies).
Regards
Lars

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Jan Beulich]

>>> On 08.06.15 at 12:08, <lars.kurth.xen@gmail.com> wrote:
> Any more votes from committers? 

I'm neither against the change nor too much in favor, and I didn't
think explicitly replying with "0" would help much. If it does, here
you are:

0

Jan

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Ian Jackson]

Ian Campbell writes ("Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015"):
> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
> > In the event that we do not have a patch available two working weeks
> > before the disclosure date, we aim to send an advisory that reflects
> > the current state of knowledge to the Xen security pre-disclosure
> > list. An updated advisory will be published as soon as available.
> 
> I'm a bit concerned about the conditions and frequency with which
> updated advisories would be expected, but not enough to object, +1.

The proposed text says "_An_ updated advisory".  That is, one updated
advisory.

+1

Ian.

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Lars Kurth]

The vote carries with 
1 x 0
4x +1
I am going to update the text now
Regards
Lars

> On 8 Jun 2015, at 11:40, Ian Jackson <ian.jackson@eu.citrix.com> wrote:
> 
> Ian Campbell writes ("Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015"):
>> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote:
>>> In the event that we do not have a patch available two working weeks
>>> before the disclosure date, we aim to send an advisory that reflects
>>> the current state of knowledge to the Xen security pre-disclosure
>>> list. An updated advisory will be published as soon as available.
>> 
>> I'm a bit concerned about the conditions and frequency with which
>> updated advisories would be expected, but not enough to object, +1.
> 
> The proposed text says "_An_ updated advisory".  That is, one updated
> advisory.
> 
> +1
> 
> Ian.

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Major Hayden]

On 06/09/2015 06:06 AM, Lars Kurth wrote:
> The vote carries with 
> 1 x 0
> 4x +1
> I am going to update the text now
> Regards
> Lars

Thanks for everyone's time and consideration! :)

--
Major Hayden

Re: [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Tim Deegan]

At 10:36 +0100 on 01 Jun (1433154985), Lars Kurth wrote:
> In the event that we do not have a patch available two working weeks
> before the disclosure date, we aim to send an advisory that reflects
> the current state of knowledge to the Xen security pre-disclosure
> list. An updated advisory will be published as soon as available.

+1.

Tim.