From mboxrd@z Thu Jan 1 00:00:00 1970 From: Konrad Rzeszutek Wilk Subject: Coverity + XenProject + Process? Date: Fri, 30 Aug 2013 11:00:53 -0400 Message-ID: <20130830150053.GP21239@phenom.dumpdata.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Hey We have a static analyzer setup for Xen called Coverity. It allows the code to be inspected for bugs and such. Originally I setup this so that we could make sure that there are no bugs that cause security issues - and as such invited only folks on the security Xen mailing list. But there are other folks who I am sure would like to contribute and as Coverity is pretty amazing at analyzing issues and providing a good idea of how to fix it - was wondering what should be the procedure for involving volunteers for that? Initially it was recommended that they agree to the security disclosure (http://www.xenproject.org/security-policy.html) and will agree to use by default the "Two working weeks between issue of our advisory to our predisclosure list and publication." But I am not sure who should have the power to veto/accept volunteers? Should security@Xen.org do that? Or should folks at Xen Devel mailing list be involved in it as well? Should that security disclosure be used for that as well? Ideas? Thank you.