xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Matthew Allen <matthew.allen@citrix.com>
To: Stefano Stabellini <sstabellini@kernel.org>
Cc: committers@xenproject.org, Jan Beulich <JBeulich@suse.com>,
	xen-devel@lists.xen.org
Subject: Re: Possible improvement to Xen Security Response Process
Date: Tue, 6 Dec 2016 14:54:35 +0000	[thread overview]
Message-ID: <1481036075.24400.14.camel@citrix.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1612051121330.6598@sstabellini-ThinkPad-X260>

On Mon, 2016-12-05 at 11:24 -0800, Stefano Stabellini wrote:
> On Mon, 5 Dec 2016, Jan Beulich wrote:
> > >>> On 05.12.16 at 15:17, <matthew.allen@citrix.com> wrote:
...
> > > Obviously, some issues are discussed in public before the security 
> > > impact is realised (such as XSA-201); equally, the right to set 
> > > a disclosure date (if any) rests with the discoverer.  However,
> > > my experience of other software (which may not be typical) has been
> > > that discoverers are usually happy to go along with any reasonable
> > > proposed date given in the same way that discoverers of XSAs are
> > > usually happy to conform to our present policy.
> > > 
> > > If this seems a good idea, then I’ll post a concrete proposal but 
> > > I’d like to get general feedback first.
> > 
> > I think very much here depends on the concrete aspects of the
> > proposal (timing, room for exceptions, etc). From just a general
> > pov, I can see advantages and disadvantages to both, just like
> > you've indicated yourself already. Also it shouldn't be left out of
> > consideration that for less severe vulnerabilities consuming
> > parties could decide for themselves whether to delay patching
> > (and hence leverage batching); I'm not convinced it would be a
> > good idea to require the XenProject Security Team to take this
> > decision in all cases.
> 
> Given that the disclosure date is always chosen by the discoverer, the
> only thing the security team can do is to suggest. It could make sense
> to have a policy to pick the date the team should propose to the
> discoverer, but at the end of the day, it is always, entirely, up to
> her.

I agree; I'm suggesting changes to the dates that the security team
would propose to a discoverer.  It's clearly entirely up to the
discoverer whether they accept the proposal or decide on a different
date (and they are, of course, under no obligation to contact the
security team in advance at all).
It does seem that discoverers are usually kind enough to contact the
security team and consent to the dates suggested by the present policy;
we should respect that kindness by making best use of the flexibility
offered as well as ensuring timely release.



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  reply	other threads:[~2016-12-06 14:54 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-05 14:17 Possible improvement to Xen Security Response Process Matthew Allen
2016-12-05 15:00 ` Jan Beulich
2016-12-05 19:24   ` Stefano Stabellini
2016-12-06 14:54     ` Matthew Allen [this message]
2016-12-07 16:23       ` Ian Jackson
2016-12-12 17:11         ` Matthew Allen
2016-12-13  1:54           ` Anthony Liguori
2016-12-13  8:41           ` Jan Beulich
2017-01-04 11:58             ` James Bulpin
2017-01-04 13:01               ` Jan Beulich
2017-01-04 13:12                 ` James Bulpin
2017-01-20 19:21               ` Ian Jackson
2017-01-23 11:30                 ` Jan Beulich
2017-02-17 11:18                   ` Lars Kurth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1481036075.24400.14.camel@citrix.com \
    --to=matthew.allen@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=committers@xenproject.org \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).