From: Thomas Goirand <thomas@goirand.fr>
To: xen-devel@lists.xen.org
Subject: Re: Security vulnerability process, and CVE-2012-0217
Date: Fri, 29 Jun 2012 23:48:41 +0800 [thread overview]
Message-ID: <4FEDCE59.6020003@goirand.fr> (raw)
In-Reply-To: <CAFLBxZYWnW_d8YDeFdzjdUhyysqxd12gPU4Pr6Rj7LQjtLwx+A@mail.gmail.com>
On 06/29/2012 06:01 PM, George Dunlap wrote:
> On Wed, Jun 27, 2012 at 7:07 PM, Thomas Goirand <thomas@goirand.fr> wrote:
>> On 06/20/2012 05:45 PM, George Dunlap wrote:
>>> The only way this would work is if the predisclosure list consisted
>>> exclusively of software providers, and specifically excluded service
>>> providers.
>> I agree, though you might have corner cases.
>>
>> What if you are *both* software and service provider (eg: I'm working on
>> Debian and XCP, and my small company provides a hosted Xen service)?
>
> If we do make a rule that only software providers can be on the list,
> and not service providers, then ideally you should try to separate the
> roles. If you are on the list as a software provider, you should use
> that information only to prepare patches; but not deploy them on your
> own systems until the embargo date.
>
> In a way, the question is very similar to asking, "I'm working on
> Debian and XCP, and my best friend owns a small company that provides
> a hosted Xen service." If you told your friend about the
> vulnerability, you would be breaking the security embargo (and giving
> your friend an unfair advantage over other hosting services), and
> would be at risk of being removed from the list if someone found out.
> If you wear two "hats", as it were, the same would be true if your
> developer "hat" told your service provider "hat": actually updating
> your systems before the embargo would (I think) be considered breaking
> the embargo, and would be giving yourself an unfair advantage over
> other hosting services.
>
> (All of the above discussion is, of course, only valid in the
> hypothetical situation that we don't allow service providers to be on
> the list.)
>
> -George
Exactly what I think as well. I'm happy you wrote the above.
Thomas
next prev parent reply other threads:[~2012-06-29 15:48 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-19 18:16 Security vulnerability process, and CVE-2012-0217 Ian Jackson
2012-06-20 8:49 ` Jan Beulich
2012-06-20 9:45 ` George Dunlap
2012-06-20 10:32 ` Jan Beulich
2012-07-02 13:59 ` Ian Campbell
2012-07-02 14:58 ` Jan Beulich
2012-07-02 15:04 ` Ian Campbell
2012-07-02 15:17 ` Alan Cox
2012-07-02 15:20 ` Ian Campbell
2012-06-28 18:30 ` Alan Cox
2012-07-04 9:27 ` Ian Campbell
2012-07-04 10:04 ` John Haxby
2012-06-29 10:26 ` George Dunlap
2012-06-29 10:41 ` Jan Beulich
2012-07-02 14:00 ` Ian Campbell
2012-06-23 19:42 ` Matt Wilson
2012-06-28 17:45 ` George Dunlap
2012-07-02 13:59 ` Ian Campbell
2012-06-27 18:07 ` Thomas Goirand
2012-06-27 19:14 ` Alan Cox
2012-06-27 19:30 ` Sander Eikelenboom
2012-06-28 9:28 ` Lars Kurth
2012-07-02 13:58 ` Ian Campbell
2012-07-02 14:51 ` Jan Beulich
2012-07-02 14:57 ` Ian Campbell
2012-07-03 22:03 ` Matt Wilson
2012-07-04 10:33 ` Ian Campbell
2012-07-04 11:24 ` Stefano Stabellini
2012-07-04 12:36 ` George Dunlap
2012-07-04 12:52 ` Jan Beulich
2012-07-04 12:56 ` George Dunlap
2012-07-04 13:01 ` Jan Beulich
2012-07-04 13:30 ` Stefano Stabellini
2012-07-04 14:09 ` Jan Beulich
2012-07-04 15:09 ` Stefano Stabellini
2012-07-06 14:36 ` John Haxby
2012-07-06 16:39 ` Matthew Allen
2012-07-06 17:24 ` George Dunlap
2012-06-29 10:01 ` George Dunlap
2012-06-29 15:48 ` Thomas Goirand [this message]
2012-07-02 13:59 ` Ian Campbell
2012-07-02 15:13 ` Alan Cox
2012-07-03 11:12 ` George Dunlap
2012-07-03 14:18 ` Stefano Stabellini
2012-08-23 10:37 ` Ian Campbell
2012-08-23 10:37 ` [PATCH 1/6] Clarify what info predisclosure list members may share during an embargo Ian Campbell
2012-08-23 10:37 ` [PATCH 2/6] Clarifications to predisclosure list subscription instructions Ian Campbell
2012-08-23 10:37 ` [PATCH 3/6] Clarify the scope of the process to just the hypervisor project Ian Campbell
2012-08-23 10:37 ` [PATCH 4/6] Discuss post-embargo disclosure of potentially controversial private decisions Ian Campbell
2012-08-23 10:37 ` [PATCH 5/6] Patch review, expert advice and targetted fixes Ian Campbell
2012-08-23 10:37 ` [PATCH 6/6] Declare version 1.3 Ian Campbell
2012-09-24 11:25 ` Security vulnerability process, and CVE-2012-0217 [vote?] Lars Kurth
2012-10-01 16:38 ` Ian Jackson
2012-10-03 17:03 ` Lars Kurth
2012-10-04 8:39 ` Lars Kurth
-- strict thread matches above, loose matches on Subject: below --
2012-07-02 15:24 Security vulnerability process, and CVE-2012-0217 John Creol
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FEDCE59.6020003@goirand.fr \
--to=thomas@goirand.fr \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.