Re: Security disclosure process discussion update

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: "xen-users@lists.xen.org" <xen-users@lists.xen.org>,
	xen-announce@lists.xen.org,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: Security disclosure process discussion update
Date: Mon, 7 Jan 2013 11:37:01 -0500	[thread overview]
Message-ID: <20130107163701.GA6682@phenom.dumpdata.com> (raw)
In-Reply-To: <CAFLBxZZuv=Q_T3F=e88DnJNhZqUutm-fDZ=FCS_-bdXV-eeWSg@mail.gmail.com>

On Mon, Dec 17, 2012 at 12:58:13PM +0000, George Dunlap wrote:
> After concluding our poll [1] about changes to the security
> discussion, we determined that "Pre-disclosure to software vendors and
> a wide set of users" was probably the best fit for the community.  A
> set of concrete changes to the policy have now been discussed on
> xen-devel [2] [3], and we seem to have converged on something everyone
> finds acceptable.
> 
> We are now presenting these changes for public review.  The purpose of
> this review process is to allow feedback on the text which will be
> voted on, in accordance to the Xen.org governance procedure [3].  Our
> plan is to leave this up for review until the third week in January.
> Any substantial updates will be mentioned on the blog and will extend
> the review time.
> 
> All feedback and discussion should happen in public on the xen-devel
> mailing list.  If you have any suggestions for how to improve the
> proposal, please e-mail the list, and cc George Dunlap (george dot
> dunlap at citrix.com).
> 
> = Summary of the updates =
> 
> As discussed on the xen-devel mailing list, expand eligibility of the
> pre-disclosure list to include any public hosting provider, as well
> as software project:
> * Change "Large hosting providers" to "Public hosting providers"
> * Remove "widely-deployed" from vendors and distributors
> * Add rules of thumb for what constitutes "genuine"
> * Add an itemized list of information to be included in the application,
> to make expectations clear and (hopefully) applications more streamlined.
> 
> The first will allow hosting providers of any size to join.
> 
> The second will allow software projects and vendors of any size to join.
> 
> The third and fourth will help describe exactly what criteria will be used
> to
> determine eligibility for 1 and 2.
> 
> Additionally, this proposal adds the following requirements:
> * Applicants and current members must use an e-mail alias, not an
> individual's
> e-mail

So if we use an mailing list internally..
> * Applicants and current members must submit a statement saying that they
> have
> read, understand, and will abide by this process document.

Are the folks on the internal mailing list bound by this as well? Meaning
that if a new person would like to join the internal mailing list they
need to have read, understood, etc the process document?

I would presume so, but you are not stating it here nor:

http://wiki.xen.org/wiki/Security_vulnerability_process_draft

So what is driving the 'alias' requirement?

next prev parent reply	other threads:[~2013-01-07 16:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-17 12:58 Security disclosure process discussion update George Dunlap
2013-01-07 16:37 ` Konrad Rzeszutek Wilk [this message]
2013-01-07 16:46   ` [Xen-users] " Ian Campbell
2013-01-07 19:12     ` Konrad Rzeszutek Wilk
2013-01-08  8:56       ` Ian Campbell
2013-01-15 15:41         ` George Dunlap
2013-04-08 11:24 ` George Dunlap
2013-04-15 14:55 ` [Xen-users] " Ian Campbell
2013-04-16 13:05   ` George Dunlap
2013-04-16 14:13     ` Ian Campbell
2013-04-19 19:41       ` Ian Campbell
2013-04-24 11:02         ` George Dunlap
2013-05-01 15:31           ` George Dunlap
2013-05-01 15:37             ` Ian Campbell
2013-05-01 15:38               ` George Dunlap
     [not found] ` <CAFLBxZbs2AeO3h=r3jOzM=+nG9p-hpTi4CAuk_qQc-rW0nc7Bg@mail.gmail.com>
2013-04-19 18:56   ` Matt Wilson
2013-04-23  9:37     ` George Dunlap
2013-04-23  9:49       ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130107163701.GA6682@phenom.dumpdata.com \
    --to=konrad.wilk@oracle.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=xen-announce@lists.xen.org \
    --cc=xen-devel@lists.xen.org \
    --cc=xen-users@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).