From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Haxby Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Wed, 04 Jul 2012 11:04:03 +0100 Message-ID: <4FF41513.8030408@oracle.com> References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FE1AAB6020000780008AC16@nat28.tlf.novell.com> <20120628193037.4a7c10c2@pyramind.ukuu.org.uk> <1341394035.31696.22.camel@zakaz.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1341394035.31696.22.camel@zakaz.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: Ian Jackson , Jan Beulich , Alan Cox , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 04/07/12 10:27, Ian Campbell wrote: > On Thu, 2012-06-28 at 19:30 +0100, Alan Cox wrote: >> > >>>> > > > 8. Predisclosure subscription process, and email address criteria >> > >> > Email is not a trustworthy medium. The linux security list was in the >> > past intercepted. > I think it would be wise to add encryption (and the requirement to > provide a key) to the pre-disclosure list. I wonder if mailman has > per-subscriber encryption capabilities. > > If not then we should consider moving this particular list to a list > manager which can. Apparently whatever the linux-distros list uses can > do this (judging from > http://oss-security.openwall.org/wiki/mailing-lists/distros) That's correct. linux-distros (and distros) also precludes having exploder lists in organisations. That's not generally going to be a problem -- you're not likely to have more than a handful of people on the list even in largish organisations. The linux-distros and distros lists are, I believe, based around something the list manager maintains. You'd have to ask him about how it works. jch