From: Ian Campbell <Ian.Campbell@citrix.com>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: lars.kurth.xen@gmail.com, xen-devel@lists.xenproject.org,
Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
Date: Mon, 19 Jan 2015 12:35:29 +0000 [thread overview]
Message-ID: <1421670929.10440.75.camel@citrix.com> (raw)
In-Reply-To: <1421437941-10997-3-git-send-email-ijackson@chiark.greenend.org.uk>
On Fri, 2015-01-16 at 19:52 +0000, Ian Jackson wrote:
> Permitting deployment during embargo seemed to have rough consensus on
> the principle. We seemed to be converging on the idea that the
> Security Team should explicitly set deployment restrictions for each
> set of patches.
>
> Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> ---
> security_vulnerability_process.html | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
> index 010cf76..de5e83e 100644
> --- a/security_vulnerability_process.html
> +++ b/security_vulnerability_process.html
> @@ -212,6 +212,17 @@ following:</p>
> <li>The assigned XSA number</li>
> <li>The planned disclosure date</li>
> </ul>
> +<p>List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions during the embargo. Permission for
> +deployment, and any restrictions, will be stated in the embargoed
> +advisory text.</p>
Do you have a corresponding patch to our advisory template to add a
section with an XXX for this?
> +<p>The Security Team will normally permit such deployment, even for
> +systems where VMs are managed or used by non-members of the
> +predisclosure list. The Security Team will impose deployment
> +restrictions only insofar as it is necessary to prevent the exposure
> +of technicalities (for example, differences in behaviour) which
> +present a significant risk of rediscovery of the vulnerability. Such
> +situations are expected to be rare.</p>
> <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
> permitted to also make available the allocated CVE number. This is no
> longer permitted in accordance with MITRE policy.</p>
next prev parent reply other threads:[~2015-01-19 12:35 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-08 15:54 Security policy ambiguities - XSA-108 process post-mortem Xen Project Security Team
2014-10-08 23:06 ` Ian Jackson
2014-10-08 23:55 ` Lars Kurth
2014-10-09 9:37 ` Ian Jackson
2014-10-09 11:24 ` George Dunlap
2014-10-09 16:19 ` Ian Campbell
2014-10-10 14:25 ` Jan Beulich
2014-10-13 12:17 ` George Dunlap
2014-10-29 13:27 ` James Bulpin
2015-01-19 20:36 ` James McKenzie
2015-01-20 8:54 ` Jan Beulich
2015-01-20 12:29 ` George Dunlap
2015-02-12 10:44 ` Lars Kurth
2014-11-10 18:01 ` Ian Jackson
2014-11-11 12:39 ` John Haxby
2014-11-12 18:09 ` George Dunlap
2014-11-13 17:36 ` Ian Jackson
2014-11-14 12:10 ` Lars Kurth
2014-11-14 12:50 ` Ian Jackson
2014-11-14 17:37 ` Lars Kurth
2015-01-16 19:23 ` Ian Jackson
2015-01-16 19:48 ` [PATCH SECURITY-POLICY 0/9] " Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 1/9] Grammar fix: Remove a comma splice Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 2/9] Add headings Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission Ian Jackson
2015-01-19 10:20 ` Jan Beulich
2015-01-19 11:18 ` Lars Kurth
2015-01-19 13:38 ` Ian Jackson
2015-01-19 14:25 ` Ian Campbell
2015-01-19 15:55 ` George Dunlap
2015-01-19 19:48 ` Lars Kurth
2015-01-19 12:36 ` Ian Campbell
2015-01-19 13:50 ` Jan Beulich
2015-01-19 12:35 ` Ian Campbell [this message]
2015-01-19 13:08 ` Ian Jackson
2015-01-19 13:10 ` Ian Campbell
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 4/9] Use a public mailing list for predisclosure membership applications Ian Jackson
2015-01-19 12:49 ` Ian Campbell
2015-01-19 13:10 ` Ian Jackson
2015-01-19 13:19 ` Ian Campbell
2015-01-19 16:21 ` Don Koch
2015-01-19 17:57 ` Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 5/9] Tighten, and make more objective, predisclosure list application Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 7/9] Clarify and fix prior consultation text Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 8/9] Clarify what announcements may be made by to service users Ian Jackson
2015-01-16 19:52 ` [PATCH SECURITY-POLICY 9/9] Document changes in changelog and heading Ian Jackson
2015-01-19 10:29 ` [PATCH SECURITY-POLICY 0/9] Re: Security policy ambiguities - XSA-108 process post-mortem Jan Beulich
2015-01-19 13:36 ` Ian Jackson
2015-01-19 19:45 ` Lars Kurth
2015-01-19 14:57 ` George Dunlap
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 0/9] " Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 1/9] Grammar fix: Remove a comma splice Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 2/9] Add headings Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 3/9] Deployment with Security Team Permission Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 4/9] Use a public mailing list for predisclosure membership applications Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 5/9] Tighten, and make more objective, predisclosure list application Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 7/9] Clarify and fix prior consultation text Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 8/9] Clarify what announcements may be made by to service users Ian Jackson
2015-01-23 19:31 ` [PATCH v2 SECURITY-POLICY 9/9] Document changes in changelog and heading Ian Jackson
2015-02-02 17:27 ` [PATCH v2 SECURITY-POLICY 0/9] Security policy ambiguities - XSA-108 process post-mortem Ian Jackson
2015-02-03 9:49 ` Lars Kurth
2014-10-09 11:09 ` George Dunlap
2014-10-10 14:47 ` Jan Beulich
2014-10-13 11:23 ` George Dunlap
2014-10-13 12:16 ` Lars Kurth
2014-11-10 17:25 ` Ian Jackson
2014-10-29 13:27 ` James Bulpin
2014-11-10 17:21 ` Ian Jackson
2014-10-21 12:32 ` Ian Campbell
2014-10-21 14:31 ` Matt Wilson
2014-10-21 15:06 ` Jan Beulich
2014-11-10 17:29 ` Ian Jackson
2014-11-10 17:39 ` George Dunlap
2014-11-10 18:04 ` Ian Jackson
2014-10-30 11:58 ` Ian Jackson
2014-10-31 22:40 ` Matt Wilson
2014-11-03 11:37 ` George Dunlap
2014-11-03 17:23 ` Matt Wilson
2014-11-05 11:17 ` Ian Campbell
2014-11-06 16:01 ` Lars Kurth
2014-11-10 12:35 ` Ian Campbell
2014-10-22 23:23 ` Bastian Blank
2014-10-29 13:27 ` James Bulpin
2014-11-10 17:42 ` Ian Jackson
2014-10-09 8:29 ` Ian Campbell
2014-10-09 8:45 ` Processed: " xen
2014-10-29 13:27 ` James Bulpin
2014-10-30 10:51 ` Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1421670929.10440.75.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=ijackson@chiark.greenend.org.uk \
--cc=lars.kurth.xen@gmail.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.