From mboxrd@z Thu Jan 1 00:00:00 1970 From: Konrad Rzeszutek Wilk Subject: Re: Security disclosure process discussion update Date: Mon, 7 Jan 2013 11:37:01 -0500 Message-ID: <20130107163701.GA6682@phenom.dumpdata.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: George Dunlap Cc: "xen-users@lists.xen.org" , xen-announce@lists.xen.org, "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On Mon, Dec 17, 2012 at 12:58:13PM +0000, George Dunlap wrote: > After concluding our poll [1] about changes to the security > discussion, we determined that "Pre-disclosure to software vendors and > a wide set of users" was probably the best fit for the community. A > set of concrete changes to the policy have now been discussed on > xen-devel [2] [3], and we seem to have converged on something everyone > finds acceptable. > > We are now presenting these changes for public review. The purpose of > this review process is to allow feedback on the text which will be > voted on, in accordance to the Xen.org governance procedure [3]. Our > plan is to leave this up for review until the third week in January. > Any substantial updates will be mentioned on the blog and will extend > the review time. > > All feedback and discussion should happen in public on the xen-devel > mailing list. If you have any suggestions for how to improve the > proposal, please e-mail the list, and cc George Dunlap (george dot > dunlap at citrix.com). > > = Summary of the updates = > > As discussed on the xen-devel mailing list, expand eligibility of the > pre-disclosure list to include any public hosting provider, as well > as software project: > * Change "Large hosting providers" to "Public hosting providers" > * Remove "widely-deployed" from vendors and distributors > * Add rules of thumb for what constitutes "genuine" > * Add an itemized list of information to be included in the application, > to make expectations clear and (hopefully) applications more streamlined. > > The first will allow hosting providers of any size to join. > > The second will allow software projects and vendors of any size to join. > > The third and fourth will help describe exactly what criteria will be used > to > determine eligibility for 1 and 2. > > Additionally, this proposal adds the following requirements: > * Applicants and current members must use an e-mail alias, not an > individual's > e-mail So if we use an mailing list internally.. > * Applicants and current members must submit a statement saying that they > have > read, understand, and will abide by this process document. Are the folks on the internal mailing list bound by this as well? Meaning that if a new person would like to join the internal mailing list they need to have read, understood, etc the process document? I would presume so, but you are not stating it here nor: http://wiki.xen.org/wiki/Security_vulnerability_process_draft So what is driving the 'alias' requirement?