[PATCH] Minor security policy text changes to avoid ambiguity

[PATCH] Minor security policy text changes to avoid ambiguity

[Lars Kurth]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 1935 bytes --]

See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
for the repository.

Signed-off-by: Lars Kurth <lars.kurth@citrix.com>
CC: committers@xenproject.org
---
 security-policy.pandoc | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security-policy.pandoc b/security-policy.pandoc
index 8e07384..74d0d8b 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -214,8 +214,9 @@ List members are allowed to make available to their users only the following:
 -   The planned disclosure date
 
 List members may, if (and only if) the Security Team grants permission, deploy
-fixed versions during the embargo. Permission for deployment, and any
-restrictions, will be stated in the embargoed advisory text.
+fixed versions to their own public facing service during the embargo. Permission
+for deployment, and any restrictions, will be stated in the embargoed advisory
+text.
 
 The Security Team will normally permit such deployment, even for systems where
 VMs are managed or used by non-members of the predisclosure list. The Security
@@ -232,6 +233,9 @@ information about the issue (as listed above). This applies whether the
 deployment occurs during the embargo (with permission - see above) or is
 planned for after the end of the embargo.
 
+NB: Distribution of updated software is prohibited (except to other members of
+the predisclosure list).
+
 *NOTE:* Prior v2.2 of this policy (25 June 2014) it was permitted to also make
 available the allocated CVE number. This is no longer permitted in accordance
 with MITRE policy.[]()
@@ -408,6 +412,7 @@ Change History {#changelog}
 --------------
 
 <div class="box-note">
+-   **v3.22 March 1st 2019:** Minor policy text clarifications
 -   **v3.21 Nov 19th 2018:** Added XCP-ng.org
 -   **v3.20 June 14th 2018:** Added Star Lab
 -   **v3.19 May 9th 2018:** Remove Google and Xen 3.4 stable tree maintainer
-- 
2.13.0



[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] Minor security policy text changes to avoid ambiguity

[Andrew Cooper]

On 01/03/2019 13:55, Lars Kurth wrote:
> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
> for the repository.
>
> Signed-off-by: Lars Kurth <lars.kurth@citrix.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] Minor security policy text changes to avoid ambiguity

[George Dunlap]

On 3/1/19 1:55 PM, Lars Kurth wrote:
> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
> for the repository.
> 
> Signed-off-by: Lars Kurth <lars.kurth@citrix.com>
> CC: committers@xenproject.org

Acked-by: George Dunlap <george.dunlap@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] Minor security policy text changes to avoid ambiguity

[Ian Jackson]

Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"):
> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
> for the repository.

I don't think in fact that there was previously any ambiguity.  The
text in the policy two paragraphs earlier explains in detail, and
entirely explicitly and without any room for doubt, that distribution
is prohibited.

The misunderstanding arises through reading just the section on
`deployment' out of context and then taking a wide reading of
`deployment'.

This is a common failure mode with any kind of document: the document
is long or the reader is in a hurry or stressed, so they do not read
all of it; they look for the part that seems to apply to them and
misunderstand it, in haste.  Also people tend to read what they want
to hear.

Adding more text far from the site of the misunderstanding does
nothing to help this.  Rather, it makes it worse: there is an
antipattern in documents of this kind where every misunderstanding
results in the addition of further repetitive text.  The document then
becomes longer, and reading the whole thing becomes harder and also
less worthwhile.

I think adding a small amount of text can be valuable, in important
cases, if it is done right next to the site of the potential
misunderstanding.  In this case I think that means something more like
the patch below.

What do people think ?

Thanks,
Ian.


commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1
Author: Ian Jackson <ian.jackson@eu.citrix.com>
Date:   Fri Mar 1 14:40:06 2019 +0000

    Avoid misunderstanding of `deploy'

diff --git a/security-policy.pandoc b/security-policy.pandoc
index 8e07384..af285be 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
-   The assigned XSA number
-   The planned disclosure date

List members may, if (and only if) the Security Team grants
permission, deploy fixed versions {+on their own services+} during the
embargo.  {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+}
Permission for deployment, and any restrictions, will be stated in the
embargoed advisory text.

The Security Team will normally permit such deployment, even for systems where
VMs are managed or used by non-members of the predisclosure list. The Security



From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 1 Mar 2019 14:40:06 +0000
Subject: [PATCH] Avoid misunderstanding of `deploy'

---
 security-policy.pandoc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/security-policy.pandoc b/security-policy.pandoc
index 8e07384..af285be 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
 -   The assigned XSA number
 -   The planned disclosure date
 
-List members may, if (and only if) the Security Team grants permission, deploy
-fixed versions during the embargo. Permission for deployment, and any
-restrictions, will be stated in the embargoed advisory text.
+List members may, if (and only if) the Security Team grants
+permission, deploy fixed versions on their own services during the
+embargo.  (NB: Distribution of fixes is, mostly, prohibited; see above.)
+Permission for deployment, and any restrictions, will be stated in the
+embargoed advisory text.
 
 The Security Team will normally permit such deployment, even for systems where
 VMs are managed or used by non-members of the predisclosure list. The Security
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] Minor security policy text changes to avoid ambiguity

[George Dunlap]

On 3/1/19 2:48 PM, Ian Jackson wrote:
> Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"):
>> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
>> for the repository.
> 
> I don't think in fact that there was previously any ambiguity.  The
> text in the policy two paragraphs earlier explains in detail, and
> entirely explicitly and without any room for doubt, that distribution
> is prohibited.
> 
> The misunderstanding arises through reading just the section on
> `deployment' out of context and then taking a wide reading of
> `deployment'.
> 
> This is a common failure mode with any kind of document: the document
> is long or the reader is in a hurry or stressed, so they do not read
> all of it; they look for the part that seems to apply to them and
> misunderstand it, in haste.  Also people tend to read what they want
> to hear.
> 
> Adding more text far from the site of the misunderstanding does
> nothing to help this.  Rather, it makes it worse: there is an
> antipattern in documents of this kind where every misunderstanding
> results in the addition of further repetitive text.  The document then
> becomes longer, and reading the whole thing becomes harder and also
> less worthwhile.
> 
> I think adding a small amount of text can be valuable, in important
> cases, if it is done right next to the site of the potential
> misunderstanding.  In this case I think that means something more like
> the patch below.
> 
> What do people think ?
> 
> Thanks,
> Ian.
> 
> 
> commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1
> Author: Ian Jackson <ian.jackson@eu.citrix.com>
> Date:   Fri Mar 1 14:40:06 2019 +0000
> 
>     Avoid misunderstanding of `deploy'
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
> -   The assigned XSA number
> -   The planned disclosure date
> 
> List members may, if (and only if) the Security Team grants
> permission, deploy fixed versions {+on their own services+} during the
> embargo.  {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+}
> Permission for deployment, and any restrictions, will be stated in the
> embargoed advisory text.
> 
> The Security Team will normally permit such deployment, even for systems where
> VMs are managed or used by non-members of the predisclosure list. The Security
> 
> 
> 
> From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri, 1 Mar 2019 14:40:06 +0000
> Subject: [PATCH] Avoid misunderstanding of `deploy'
> 
> ---
>  security-policy.pandoc | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
>  -   The assigned XSA number
>  -   The planned disclosure date
>  
> -List members may, if (and only if) the Security Team grants permission, deploy
> -fixed versions during the embargo. Permission for deployment, and any
> -restrictions, will be stated in the embargoed advisory text.
> +List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions on their own services during the
> +embargo.  (NB: Distribution of fixes is, mostly, prohibited; see above.)
> +Permission for deployment, and any restrictions, will be stated in the
> +embargoed advisory text.

This change looks good to me -- has it been committed yet?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH] Minor security policy text changes to avoid ambiguity

[George Dunlap]

On 3/1/19 2:48 PM, Ian Jackson wrote:
> Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"):
>> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
>> for the repository.
> 
> I don't think in fact that there was previously any ambiguity.  The
> text in the policy two paragraphs earlier explains in detail, and
> entirely explicitly and without any room for doubt, that distribution
> is prohibited.
> 
> The misunderstanding arises through reading just the section on
> `deployment' out of context and then taking a wide reading of
> `deployment'.
> 
> This is a common failure mode with any kind of document: the document
> is long or the reader is in a hurry or stressed, so they do not read
> all of it; they look for the part that seems to apply to them and
> misunderstand it, in haste.  Also people tend to read what they want
> to hear.
> 
> Adding more text far from the site of the misunderstanding does
> nothing to help this.  Rather, it makes it worse: there is an
> antipattern in documents of this kind where every misunderstanding
> results in the addition of further repetitive text.  The document then
> becomes longer, and reading the whole thing becomes harder and also
> less worthwhile.
> 
> I think adding a small amount of text can be valuable, in important
> cases, if it is done right next to the site of the potential
> misunderstanding.  In this case I think that means something more like
> the patch below.
> 
> What do people think ?
> 
> Thanks,
> Ian.
> 
> 
> commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1
> Author: Ian Jackson <ian.jackson@eu.citrix.com>
> Date:   Fri Mar 1 14:40:06 2019 +0000
> 
>     Avoid misunderstanding of `deploy'
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
> -   The assigned XSA number
> -   The planned disclosure date
> 
> List members may, if (and only if) the Security Team grants
> permission, deploy fixed versions {+on their own services+} during the
> embargo.  {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+}
> Permission for deployment, and any restrictions, will be stated in the
> embargoed advisory text.
> 
> The Security Team will normally permit such deployment, even for systems where
> VMs are managed or used by non-members of the predisclosure list. The Security
> 
> 
> 
> From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri, 1 Mar 2019 14:40:06 +0000
> Subject: [PATCH] Avoid misunderstanding of `deploy'
> 
> ---
>  security-policy.pandoc | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following:
>  -   The assigned XSA number
>  -   The planned disclosure date
>  
> -List members may, if (and only if) the Security Team grants permission, deploy
> -fixed versions during the embargo. Permission for deployment, and any
> -restrictions, will be stated in the embargoed advisory text.
> +List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions on their own services during the
> +embargo.  (NB: Distribution of fixes is, mostly, prohibited; see above.)
> +Permission for deployment, and any restrictions, will be stated in the
> +embargoed advisory text.

This change looks good to me -- has it been committed yet?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel