Re: [PATCH] Minor security policy text changes to avoid ambiguity

[George Dunlap <george.dunlap@citrix.com>]

On 3/1/19 2:48 PM, Ian Jackson wrote:
> Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"):
>> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
>> for the repository.
> 
> I don't think in fact that there was previously any ambiguity.  The
> text in the policy two paragraphs earlier explains in detail, and
> entirely explicitly and without any room for doubt, that distribution
> is prohibited.
> 
> The misunderstanding arises through reading just the section on
> `deployment' out of context and then taking a wide reading of
> `deployment'.
> 
> This is a common failure mode with any kind of document: the document
> is long or the reader is in a hurry or stressed, so they do not read
> all of it; they look for the part that seems to apply to them and
> misunderstand it, in haste.  Also people tend to read what they want
> to hear.
> 
> Adding more text far from the site of the misunderstanding does
> nothing to help this.  Rather, it makes it worse: there is an
> antipattern in documents of this kind where every misunderstanding
> results in the addition of further repetitive text.  The document then
> becomes longer, and reading the whole thing becomes harder and also
> less worthwhile.
> 
> I think adding a small amount of text can be valuable, in important
> cases, if it is done right next to the site of the potential
> misunderstanding.  In this case I think that means something more like
> the patch below.
> 
> What do people think ?
> 
> Thanks,
> Ian.
> 
> 
> commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1
> Author: Ian Jackson <ian.jackson@eu.citrix.com>
> Date:   Fri Mar 1 14:40:06 2019 +0000
> 
>     Avoid misunderstanding of `deploy'
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
> -   The assigned XSA number
> -   The planned disclosure date
> 
> List members may, if (and only if) the Security Team grants
> permission, deploy fixed versions {+on their own services+} during the
> embargo.  {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+}
> Permission for deployment, and any restrictions, will be stated in the
> embargoed advisory text.
> 
> The Security Team will normally permit such deployment, even for systems where
> VMs are managed or used by non-members of the predisclosure list. The Security
> 
> 
> 
> From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri, 1 Mar 2019 14:40:06 +0000
> Subject: [PATCH] Avoid misunderstanding of `deploy'
> 
> ---
>  security-policy.pandoc | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
>  -   The assigned XSA number
>  -   The planned disclosure date
>  
> -List members may, if (and only if) the Security Team grants permission, deploy
> -fixed versions during the embargo. Permission for deployment, and any
> -restrictions, will be stated in the embargoed advisory text.
> +List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions on their own services during the
> +embargo.  (NB: Distribution of fixes is, mostly, prohibited; see above.)
> +Permission for deployment, and any restrictions, will be stated in the
> +embargoed advisory text.

This change looks good to me -- has it been committed yet?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel