Re: [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

[George Dunlap <george.dunlap@eu.citrix.com>]

On 03/12/12 17:26, Ian Campbell wrote:
> On Mon, 2012-12-03 at 17:12 +0000, George Dunlap wrote:
>> On Tue, Nov 27, 2012 at 12:05 PM, George Dunlap
>> <George.Dunlap@eu.citrix.com> wrote:
>>          On Mon, Nov 19, 2012 at 5:42 PM, Ian Campbell
>>          <Ian.Campbell@citrix.com> wrote:
>>          
>>                  > +    <p>Here as a rule of thumb, "public hosting
>>                  provider" means
>>                  > +    "selling virtualization services to the general
>>                  public";
>>                  > +    "large-scale" and "widely deployed" means an
>>                  installed base of
>>                  > +    300,000 or more Xen guests.  Other
>>                  well-established organisations
>>                  > +    with a mature security response process will be
>>                  considered on a
>>                  > +    case-by-case basis.</p>
>>                  
>>                  
>>                  I agree with Ian that relaxing this for software
>>                  vendors also seems the
>>                  correct thing to do.
>>          
>>          If we're going to include software vendors, we need some
>>          simple criteria to define what a "real" software vendor is.
>>          The idea of asking for a link from cloud providers pointing to
>>          public rates and a security policy, which Ian Jackson
>>          proffered, was a good one.  I suppose we could do something
>>          similar for software providers: a link to a web page with
>>          either download-able install images, or prices, perhaps?
>>          
>>
>> Thinking a bit more about this one -- if someone had (say) a Debian
>> derivative that looked like it was basically just a different default
>> set of packages -- IOW, a very small amount of effort to create and
>> maintain -- that wouldn't qualify for being on the list, right?  So it
>> seems to me like "amount of effort spent" is kind of what we're
>> looking for, right?  I mean, if 2-3 developers are spending 3-4 hours
>> per week each working on something, then it's clearly a project we
>> could consider, even if it's really small.  I'm sure that would
>> include QubesOS, ArchLinux, Edubuntu, Scientific Linux, &c &c.  But if
>> it's one guy spending half an hour every six months, he doesn't really
>> need to be on the list I don't think.
> Is "deviation from upstream" a factor at all?
>
> e.g. is a Debian derivative just ships the Xen bits direct from Debian
> then there doesn't seem to be much call for them to be on the list, they
> can simply just ship the security update too. This would be true even if
> they were dozens of engineers working full time.

I was going to say that if they're not informed, there may be a longer 
turn-around time; but providers on the list are explicitly allowed to 
say that there *is* a vulnerability, and *when* the disclosure is 
scheduled to be, so if it's just a matter of making the same bits 
available that Debian has made available, it shouldn't be too long for 
those who are prepared.

But how much extra work would you need to do to qualify you for the 
list?  Suppose there's a derivative with a single additional patch -- 
that will still require pulling in the source, potentially porting the 
patch, doing a re-build, and some basic re-testing -- that whole thing 
could take a day even for a well-funded project.

If the criteria is so small, and so easy to qualify (just re-build the 
package basically), I'm not sure it's so useful to mention it.

> I went looking for the linux-distros list inclusion criteria, in the
> hopes we could just piggy back off that, but I can't find it right now.

I've got a draft I think is helpful; I'll send a v2 and people can see 
what they think of it.

  -George