WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Security vulnerability process

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Security vulnerability process
From: Mike Bursell <mike.bursell@xxxxxxxxxx>
Date: Fri, 26 Aug 2011 15:33:45 +0100
Accept-language: en-US
Acceptlanguage: en-US
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 26 Aug 2011 07:34:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20054.12281.195707.52627@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <FAFE59DA478A2049938DF14B5C4B90FCB343067736@xxxxxxxxxxxxxxxxxxxxxxxxx> <20054.12281.195707.52627@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acxj/Sj030C47lexSPyIvuxDZaIqHg==
Thread-topic: [Xen-devel] Security vulnerability process
On Thu, 2011-08-25 at 12:20 +0100, Ian Jackson wrote:
> Mike Bursell writes ("[Xen-devel] Security vulnerability process"):
> > Proposed changes
> > i. extend the standard embargo period from one week to two to allow more
> > time for response/roll-out.
> 
> Thanks for your comments.
> 
> No-one seems to have objected to this.

Always nice.  :-)

> > ii. allow the standard initial week to flex in the case that a fix is
> > not immediately found.
> 
> I agree with Ian Campbell's comment about this.  The wording:
> 
>   As discussed, we will negotiate with discoverers about disclosure
>   schedule.  Our usual starting point for that negotiation, unless there
>   are reasons to diverge from this, would be:
> 
> makes it clear that this schedule is definitely subject to variation
> depending on the circumstances.  Would you agree ?

That's fine, I think.

> > iii. allow the standard embargo period to be extended, by consensus of
> > those on the predisclosure list, moderated by the Board, to a longer
> > period.  This is to deal with cases where the vulnerability is
> > particularly severe and/or the fixes are particularly onerous to roll
> > out.  
> 
> I don't think this idea is really going to work.
> 
> Firstly, the predisclosure list is an announcement list, not a
> discussion list.  While the list of organisations will be published,
> in general the email addresses on it are busy security contact desks
> who do not want to be involved in extended discussions.
> 
> Secondly, I think it will in practice prove difficult to get consensus
> on an extension - given that the predisclosure list contains some
> organisations who have expectations of a very short timescale and who
> want to fix the problem for their users ASAP.  So such a provision
> wouldn't have much effect other than people sending extra emails.  And
> of course as Ian Campbell says we are still bound by the views of the
> discoverer.
> 
> Finally, even if these practical objections could be dealt with, it
> seems to me to be to be questionable to put the predisclosure list
> members in charge of the decision about when the rest of the users
> find out.  There is a clear conflict of interest there.
> 
> So for those reasons I'm afraid I think it wouldn't be appropriate to
> make that change.

After some thought, I think we're pushing away too far from the
discoverer here.  What I suggest, therefore, is to say

i) explicitly that if the discoverer wishes to extend the predisclosure
period, this will honoured
ii) that if a predisclosure list member wishes to contact the discoverer
to request an extension, that the Xen.org security team will act as a
channel for such requests.

How does this sound?

-Mike.c
-- 
Mike Bursell, Network Subsystem Architect
Citrix Systems R&D.  +44 7971 926937
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>