From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Mon, 2 Jul 2012 16:20:47 +0100 Message-ID: <1341242447.4625.119.camel@zakaz.uk.xensource.com> References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FE1AAB6020000780008AC16@nat28.tlf.novell.com> <4FE1C2E3020000780008AC77@nat28.tlf.novell.com> <1341237571.4625.94.camel@zakaz.uk.xensource.com> <20120702161702.7af2ff8d@pyramind.ukuu.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20120702161702.7af2ff8d@pyramind.ukuu.org.uk> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Alan Cox Cc: George Dunlap , Ian Jackson , Jan Beulich , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On Mon, 2012-07-02 at 16:17 +0100, Alan Cox wrote: > > I think the default of accepting the disclosers position is a good one. > > We want to encourage people to report such bugs to us and taking control > > away from them is a good way to discourage them. > > You do need a standard answer for when they don't. Agreed. > > This is probably better, but also ties into the question of public > > holidays in various territories. i.e. business day where... > > On a global basis you can't win. Saturday/Sunday are out, a chunk of the > middle of summer the French are all away, then Chinese have golden week > and so on and by the time you've blocked them all in your calendar is > basically full. > > It's a global community so the counterpoint is that while someone is > always on holiday, someone else is always at work. This is true. Perhaps rather than consider all consumers we just need to give consideration to those actually involved in creating / sending out the advisory i.e. the security@ team since having one of them be away at a critical juncture can throw a bit of a spanner into the works. Ian.