From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thomas Goirand <thomas@goirand.fr>
Subject: Re: Security vulnerability process, and CVE-2012-0217
Date: Fri, 29 Jun 2012 23:48:41 +0800
Message-ID: <4FEDCE59.6020003@goirand.fr>
References: <20448.49637.38489.246434@mariner.uk.xensource.com>	<4FEB4BDD.5040205@goirand.fr>
	<CAFLBxZYWnW_d8YDeFdzjdUhyysqxd12gPU4Pr6Rj7LQjtLwx+A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <CAFLBxZYWnW_d8YDeFdzjdUhyysqxd12gPU4Pr6Rj7LQjtLwx+A@mail.gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 06/29/2012 06:01 PM, George Dunlap wrote:
> On Wed, Jun 27, 2012 at 7:07 PM, Thomas Goirand <thomas@goirand.fr> wrote:
>> On 06/20/2012 05:45 PM, George Dunlap wrote:
>>> The only way this would work is if the predisclosure list consisted
>>> exclusively of software providers, and specifically excluded service
>>> providers.
>> I agree, though you might have corner cases.
>>
>> What if you are *both* software and service provider (eg: I'm working on
>> Debian and XCP, and my small company provides a hosted Xen service)?
> 
> If we do make a rule that only software providers can be on the list,
> and not service providers, then ideally you should try to separate the
> roles.  If you are on the list as a software provider, you should use
> that information only to prepare patches; but not deploy them on your
> own systems until the embargo date.
> 
> In a way, the question is very similar to asking, "I'm working on
> Debian and XCP, and my best friend owns a small company that provides
> a hosted Xen service."  If you told your friend about the
> vulnerability, you would be breaking the security embargo (and giving
> your friend an unfair advantage over other hosting services), and
> would be at risk of being removed from the list if someone found out.
> If you wear two "hats", as it were, the same would be true if your
> developer "hat" told your service provider "hat": actually updating
> your systems before the embargo would (I think) be considered breaking
> the embargo, and would be giving yourself an unfair advantage over
> other hosting services.
> 
> (All of the above discussion is, of course, only valid in the
> hypothetical situation that we don't allow service providers to be on
> the list.)
> 
>  -George

Exactly what I think as well. I'm happy you wrote the above.

Thomas