Re: Security disclosure process discussion update

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: "xen-users@lists.xen.org" <xen-users@lists.xen.org>,
	xen-announce@lists.xen.org,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: Security disclosure process discussion update
Date: Mon, 7 Jan 2013 11:37:01 -0500	[thread overview]
Message-ID: <20130107163701.GA6682@phenom.dumpdata.com> (raw)
In-Reply-To: <CAFLBxZZuv=Q_T3F=e88DnJNhZqUutm-fDZ=FCS_-bdXV-eeWSg@mail.gmail.com>

On Mon, Dec 17, 2012 at 12:58:13PM +0000, George Dunlap wrote:
> After concluding our poll [1] about changes to the security
> discussion, we determined that "Pre-disclosure to software vendors and
> a wide set of users" was probably the best fit for the community.  A
> set of concrete changes to the policy have now been discussed on
> xen-devel [2] [3], and we seem to have converged on something everyone
> finds acceptable.
> 
> We are now presenting these changes for public review.  The purpose of
> this review process is to allow feedback on the text which will be
> voted on, in accordance to the Xen.org governance procedure [3].  Our
> plan is to leave this up for review until the third week in January.
> Any substantial updates will be mentioned on the blog and will extend
> the review time.
> 
> All feedback and discussion should happen in public on the xen-devel
> mailing list.  If you have any suggestions for how to improve the
> proposal, please e-mail the list, and cc George Dunlap (george dot
> dunlap at citrix.com).
> 
> = Summary of the updates =
> 
> As discussed on the xen-devel mailing list, expand eligibility of the
> pre-disclosure list to include any public hosting provider, as well
> as software project:
> * Change "Large hosting providers" to "Public hosting providers"
> * Remove "widely-deployed" from vendors and distributors
> * Add rules of thumb for what constitutes "genuine"
> * Add an itemized list of information to be included in the application,
> to make expectations clear and (hopefully) applications more streamlined.
> 
> The first will allow hosting providers of any size to join.
> 
> The second will allow software projects and vendors of any size to join.
> 
> The third and fourth will help describe exactly what criteria will be used
> to
> determine eligibility for 1 and 2.
> 
> Additionally, this proposal adds the following requirements:
> * Applicants and current members must use an e-mail alias, not an
> individual's
> e-mail

So if we use an mailing list internally..
> * Applicants and current members must submit a statement saying that they
> have
> read, understand, and will abide by this process document.

Are the folks on the internal mailing list bound by this as well? Meaning
that if a new person would like to join the internal mailing list they
need to have read, understood, etc the process document?

I would presume so, but you are not stating it here nor:

http://wiki.xen.org/wiki/Security_vulnerability_process_draft

So what is driving the 'alias' requirement?

next prev parent reply	other threads:[~2013-01-07 16:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-17 12:58 Security disclosure process discussion update George Dunlap
2013-01-07 16:37 ` Konrad Rzeszutek Wilk [this message]
2013-01-07 16:46   ` [Xen-users] " Ian Campbell
2013-01-07 19:12     ` Konrad Rzeszutek Wilk
2013-01-08  8:56       ` Ian Campbell
2013-01-15 15:41         ` George Dunlap
2013-04-08 11:24 ` George Dunlap
2013-04-15 14:55 ` [Xen-users] " Ian Campbell
2013-04-16 13:05   ` George Dunlap
2013-04-16 14:13     ` Ian Campbell
2013-04-19 19:41       ` Ian Campbell
2013-04-24 11:02         ` George Dunlap
2013-05-01 15:31           ` George Dunlap
2013-05-01 15:37             ` Ian Campbell
2013-05-01 15:38               ` George Dunlap
     [not found] ` <CAFLBxZbs2AeO3h=r3jOzM=+nG9p-hpTi4CAuk_qQc-rW0nc7Bg@mail.gmail.com>
2013-04-19 18:56   ` Matt Wilson
2013-04-23  9:37     ` George Dunlap
2013-04-23  9:49       ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130107163701.GA6682@phenom.dumpdata.com \
    --to=konrad.wilk@oracle.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=xen-announce@lists.xen.org \
    --cc=xen-devel@lists.xen.org \
    --cc=xen-users@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.