From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lars Kurth <lars.kurth.xen@gmail.com>
Subject: Re: Security policy ambiguities - XSA-108 process
	post-mortem
Date: Mon, 13 Oct 2014 14:16:57 +0200
Message-ID: <4D7AD178-9E02-4C71-ADCC-6BF2E3DE3E80@gmail.com>
References: <21557.24142.873029.148164@mariner.uk.xensource.com>
	<21557.50031.783473.873273@chiark.greenend.org.uk>
	<54380D8F020000780003DD5E@mail.emea.novell.com>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <lars.kurth.xen@gmail.com>) id 1XdeYg-00050V-1r
	for xen-devel@lists.xenproject.org; Mon, 13 Oct 2014 12:17:02 +0000
Received: by mail-wi0-f176.google.com with SMTP id hi2so7217756wib.9
	for <xen-devel@lists.xenproject.org>;
	Mon, 13 Oct 2014 05:17:00 -0700 (PDT)
In-Reply-To: <54380D8F020000780003DD5E@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <jbeulich@suse.com>
Cc: xen-devel@lists.xenproject.org, Ian Jackson <ijackson@chiark.greenend.org.uk>
List-Id: xen-devel@lists.xenproject.org


On 10 Oct 2014, at 16:47, Jan Beulich <jbeulich@suse.com> wrote:
> 
>>> Predisclosure list memembership
> 
> This whole final section I completely agree with.
> 
> There's one more thing I thought of btw: When we change the
> policy following whatever community input we gathered (not just
> now, but also in the future), people currently on the pre-disclosure
> list may (at least theoretically) end up no longer qualifying for
> being on the list. Shouldn't we
> - add some kind of statement to the effect of implicit agreement
>  to changed terms,
> - provide means for list members to be removed other than by
>  them asking for it?
> 
> Jan

I also was wondering whether it would make sense to put a time-limit on applications. For example, we could say that processing an application will take 2 weeks. By doing so, we avoid having to handle applications as a response to media speculation. If we get an application wrong, and allow somebody wrong on the list who then discloses information related to an embargo, we would create risks for others already on the list. This would be the worst possible outcome for the project. Just a thought

Regards
Lars