From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Haxby Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Fri, 06 Jul 2012 15:36:59 +0100 Message-ID: <4FF6F80B.7040703@oracle.com> References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FEB4BDD.5040205@goirand.fr> <4FEC23B7.7020802@xen.org> <20120703220337.GC4332@US-SEA-R8XVZTX> <4FF45896020000780008DA4C@nat28.tlf.novell.com> <4FF46AC9020000780008DAFD@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini Cc: George Dunlap , Lars Kurth , Matt Wilson , Jan Beulich , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 04/07/12 16:09, Stefano Stabellini wrote: >>> > > In practice, given the terms of the GPL, we cannot restrict anybody on >>> > > the list from releasing the source of the fix before the embargo ends. >> > >> > Of course. It's an agreement between the list members to not >> > disclose anything. > Yes, but an agreement that cannot be legally enforced. I don't see that that is an issue. Taking linux-distros as an example, an embargo date cannot be enforced as there is no legal framework in which to enforce it. Everyone involved agrees to respect the embargo dates. If an individual or organisation repeatedly flaunted the embargo dates they would likely find themselves removed from the list although, to my knowledge, this has not happened. For the list to work, the members need to cooperate: it is in their own interest to cooperate, legal frameworks aren't required. jch