From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Wed, 4 Jul 2012 13:56:09 +0100 Message-ID: References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FEB4BDD.5040205@goirand.fr> <4FEC23B7.7020802@xen.org> <20120703220337.GC4332@US-SEA-R8XVZTX> <4FF45896020000780008DA4C@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4FF45896020000780008DA4C@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Stefano Stabellini , Lars Kurth , Matt Wilson , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On Wed, Jul 4, 2012 at 1:52 PM, Jan Beulich wrote: > Being on the list doesn't make you non-susceptible. Such an > approach, imo, would need to imply permission to anyone on > the list to deploy a fix as soon as it is available. But since > distros can't ship binaries without also making sources available, > that's a contradiction by itself. Yes, preventing vendors from shipping until the public disclosure date would discriminates against "vendor-supplied" users in favor of "self-supplied" users (i.e., those who download and build their own directly from xen.org). Would it work to say that vendors can ship to anyone on the list? In theory that could work, but in practice I think most distros would rather just release once and be done with it, rather than dealing with a 2-stage process. -George