From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Bulpin <James.Bulpin@citrix.com>
Subject: Re: Security policy ambiguities - XSA-108 process
 post-mortem
Date: Wed, 29 Oct 2014 13:27:58 +0000
Message-ID: <817F8DE966913E4D91404CA656535C84113E599F@AMSPEX01CL01.citrite.net>
References: <21557.24142.873029.148164@mariner.uk.xensource.com>
	<21557.50031.783473.873273@chiark.greenend.org.uk>
	<20141022232354.GA27437@mail.waldi.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20141022232354.GA27437@mail.waldi.eu.org>
Content-Language: en-US
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

Bastian Blank writes ("Security policy ambiguities - XSA-108 process post-mortem"):
> [snip]
> >   List members who are service providers may deploy fixed versions
> >   during the embargo, PROVIDED THAT any action taken by the service
> >   provider gives no indication (to their users or anyone else) as to
> >   the nature of the vulnerability.
> 
> Why this constraint to "who are service providers"?

+1

We already have a definition of eligibility for membership of the
pre-disclosure list and therefore I don't think it is necessary or
desirable to further constrain specific privileges to subsets of the
list members.

Cheers,
James

-- 
James Bulpin
Sr. Director, Technology, XenServer/Networking, Cloud & Service Provider Group
Citrix Systems Inc.