From mboxrd@z Thu Jan 1 00:00:00 1970 From: Konrad Rzeszutek Wilk Subject: Re: [DRAFT] Coverity Access Policy Date: Wed, 25 Sep 2013 11:15:57 -0400 Message-ID: <20130925151557.GB5932@phenom.dumpdata.com> References: <1379945692.19256.160.camel@kazak.uk.xensource.com> <20130924173532.GB14176@phenom.dumpdata.com> <1380098048.23688.78.camel@kazak.uk.xensource.com> <20130925142623.GE3834@phenom.dumpdata.com> <1380121015.23688.172.camel@kazak.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1380121015.23688.172.camel@kazak.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: Lars Kurth , xen-devel List-Id: xen-devel@lists.xenproject.org On Wed, Sep 25, 2013 at 03:56:55PM +0100, Ian Campbell wrote: > On Wed, 2013-09-25 at 10:26 -0400, Konrad Rzeszutek Wilk wrote: > > On Wed, Sep 25, 2013 at 09:34:08AM +0100, Ian Campbell wrote: > > > On Tue, 2013-09-24 at 13:35 -0400, Konrad Rzeszutek Wilk wrote: > > > > On Mon, Sep 23, 2013 at 03:14:52PM +0100, Ian Campbell wrote: > > > > > I've tried to codify some of the ideas put forward in the previous > > > > > thread and round out the proposal with some practicalities. > > > > > > > > > > I was undecided about requiring unanimity (i.e no objections from a > > > > > maintainer) rather than just consensus. Any thoughts on that? A (well > > > > > reasoned) objection should carry a fair bit of weight under these > > > > > circumstances I think. > > > > > > > > > > 8<-------------------------------- > > > > > > > > > > The Xen Project is registered with the "Coverity Scan" service[0] > > > > > which applies Coverity's static analyser to the Open Source > > > > > projects. The tool can and does find flaws in the source code which > > > > > can include security issues. > > > > > > > > > > Triaging and proposing solutions for the flaws found by Coverity is a > > > > > useful way in which Community members can contribute to the Xen > > > > > Project. However because the service may discover security issues and > > > > > the Xen Project practices responsible disclosure as described in "Xen > > > > > Security Problem Response Process"[1] the full database of issues > > > > > cannot simply be made public. > > > > > > > > > > Members of the community may request access to the Coverity database > > > > > under the condition that for any security issues discovered, they: > > > > > > > > > > * agree to follow the security response process[1]. > > > > > * undertake to report security issues discovered to the security team > > > > > (security@xen.org) within 3 days of discovery. > > > > > * waive their right to select the disclosure time line. Discoveries > > > > > will follow the default time lines given in the policy. > > > > > * agree to not disclose any issue discovered other than to the > > > > > security team, unless this has been approved by the security team. > > > > > > > > Perhaps that sentence above could be changed to: > > > > > > > > * agree to disclose issues discovered to the security team. Unless the > > > > security team has given approval to publicily disclose it. > > > > > > I don't think this wording quite so clearly excludes telling your > > > friends/blackhats/people in the pub. > > > > > > I prefer my original wording. > > > > Perhaps it is me having an English as a secondary language but I had > > a rough time understanding 'not', and 'unless' in the sentence. > > It made it much easier to understand when I flipped it. > > > > Maybe this: > > * agree to disclose the issues discovered ONLY to the security team. > > Unless the security team has given approval to publicily disclose it. > > My issue with your wording was with "publicly". > > How about: > * agree to disclose the issues discovered ONLY to the security team > and not to any other party. > > If so I'd move it to be the bullet after "undertake to report". > > We can leave out the "unless approved bit", we will deal with that on a > case by case basis. I like that. Thank you! > > Ian. >