From: Matthew Allen <matthew.allen@citrix.com>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
committers@xenproject.org, Jan Beulich <JBeulich@suse.com>,
xen-devel@lists.xen.org
Subject: Re: Possible improvement to Xen Security Response Process
Date: Mon, 12 Dec 2016 17:11:46 +0000 [thread overview]
Message-ID: <1481562706.24400.42.camel@citrix.com> (raw)
In-Reply-To: <22600.14203.388997.169211@chiark.greenend.org.uk>
On Wed, 2016-12-07 at 16:23 +0000, Ian Jackson wrote:
> ...
> I have an alternative concrete suggestion:
>
> Unless there are good reasons to diverge, our suggestions to
> discoverer(s) will be based on the following criteria, in order of
> precedence:
> 1. Avoiding disclosure on Fridays, weekends, or on or immediately
> before widely respected public holidays.
> 2. Minimising the number of distinct publication dates
> within each 14 day period.
> 3. Making the preparation period for each advisory as close,
> on a log scale, to 14 days as possible.
> (The preparation period for an advisory is the period between
> predisclosure and publication.)
> ...
> Bunfight, anyone ?
>
>
> Ian.
> (Responding with a personal opinion, and hence from a personal
> email address. I haven't discussed this with my management at
> Citrix.)
>
I'll join in the bunfight with a stronger proposal (noting in passing
that according to https://xenbits.xen.org/xsa/ we are now expecting 5
consecutive weeks of XSA announcements):
1) Where practical, XSA public disclosures will be batched and announced
once per month.
2) The calendar of disclosure dates will be published well in advance
and will avoid Fridays, weekends, or dates on or immediately before
widely respected public holidays.
3) Issues will normally have at least 14 days pre-disclosure; this means
that an issue discovered immediately prior to a scheduled publication
date will normally not be disclosed until the next publication date.
Clearly there will be times when this can't be done; I am also aware
that discoverers always have the final say. But both of those points
apply to the current policy as well.
I know that this would be a significant change. However, the present
frequent and unpredictable nature of disclosures consumes a lot of time
that would otherwise be better spent on contributing to and improving
Xen.
Matthew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-12-12 17:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 14:17 Possible improvement to Xen Security Response Process Matthew Allen
2016-12-05 15:00 ` Jan Beulich
2016-12-05 19:24 ` Stefano Stabellini
2016-12-06 14:54 ` Matthew Allen
2016-12-07 16:23 ` Ian Jackson
2016-12-12 17:11 ` Matthew Allen [this message]
2016-12-13 1:54 ` Anthony Liguori
2016-12-13 8:41 ` Jan Beulich
2017-01-04 11:58 ` James Bulpin
2017-01-04 13:01 ` Jan Beulich
2017-01-04 13:12 ` James Bulpin
2017-01-20 19:21 ` Ian Jackson
2017-01-23 11:30 ` Jan Beulich
2017-02-17 11:18 ` Lars Kurth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481562706.24400.42.camel@citrix.com \
--to=matthew.allen@citrix.com \
--cc=JBeulich@suse.com \
--cc=committers@xenproject.org \
--cc=ijackson@chiark.greenend.org.uk \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).