From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: [Xen-users] Security disclosure process discussion update Date: Wed, 1 May 2013 16:38:53 +0100 Message-ID: <5181370D.90809@eu.citrix.com> References: <1366037716.8399.65.camel@zakaz.uk.xensource.com> <516D4CB5.1040301@eu.citrix.com> <1366121624.16851.23.camel@dagon.hellion.org.uk> <1366400507.29403.5.camel@dagon.hellion.org.uk> <5177BBD1.5070209@eu.citrix.com> <51813569.7010705@eu.citrix.com> <1367422674.3142.747.camel@zakaz.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1367422674.3142.747.camel@zakaz.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 01/05/13 16:37, Ian Campbell wrote: > On Wed, 2013-05-01 at 16:31 +0100, George Dunlap wrote: >> On 24/04/13 12:02, George Dunlap wrote: >>> On 19/04/13 20:41, Ian Campbell wrote: >>>> On Tue, 2013-04-16 at 15:13 +0100, Ian Campbell wrote: >>>>> On Tue, 2013-04-16 at 14:05 +0100, George Dunlap wrote: >>>>>> On 15/04/13 15:55, Ian Campbell wrote: >>>>>>> Asking them to setup xen-security-team@distro.org seems a bit of a >>>>>>> burden >>>>>> I'm just curious, is it really that much of a burden? If Debian, for >>>>>> example, already has infrastructure to accept >>>>>> "@packages.debian.org", how much extra work is it to add >>>>>> "-security@debian.org"? >>>>> For just one $package its probably still a moderate amount of work. I >>>> Ian J pointed out to me IRL that this is the sort of thing alioth (the >>>> Debian Source/FusionForge instance) ought to be able to provide and I >>>> can see an interface which purports to allow me to create a private list >>>> on there (but I've not tried it). >>>> >>>> Not sure about other distros but this seems to solve it for Debian at >>>> least. >>> How about the following: >>> >>> The addition of individual e-mail addresses for >>> an organization in addition to the organizational e-mail address >>> will be considered in exceptional circumstances; for example, if >>> the maintainer for the xen package is not on the organization's >>> security e-mail list, and either maintaining a separate list or >>> having those on the list act as an intermediary would be too >>> onerous. >> Ping? > Sorry, thought I'd replied. > > Given that Ian J has pointed me to Alioth private lists I'm no longer > concerned about this from Debian's PoV. I don't really know if this is > going to be an issue for other distros or not -- I suppose I'm inclined > to feel that if Debian can manage it so can they. OK -- and in any case that's kind of a separate issue from the big one, which is allowing more people to be on the list. Thanks, -George