From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Stabellini Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Wed, 4 Jul 2012 16:09:01 +0100 Message-ID: References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FEB4BDD.5040205@goirand.fr> <4FEC23B7.7020802@xen.org> <20120703220337.GC4332@US-SEA-R8XVZTX> <4FF45896020000780008DA4C@nat28.tlf.novell.com> <4FF46AC9020000780008DAFD@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4FF46AC9020000780008DAFD@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: George Dunlap , "xen-devel@lists.xen.org" , Lars Kurth , Matt Wilson , Stefano Stabellini List-Id: xen-devel@lists.xenproject.org On Wed, 4 Jul 2012, Jan Beulich wrote: > >>> On 04.07.12 at 15:30, Stefano Stabellini wrote: > > Can we just avoid all this and use the security list to communicate that > > a fix is going to be available on a particular hour of a particular day? > > This way all the software vendors and service providers can ready > > themselves to deploy it as soon as they can. > > The fix would be released to the security list and xen-devel at the same > > time. > > That would only call for each party trying to create and deliver > their fix themselves and up front. You'd then also have to hide > the issue description. Yes, we would have to hide the issue description. > Which would render the security list redundant. It would be a very different kind of security list. > > In practice, given the terms of the GPL, we cannot restrict anybody on > > the list from releasing the source of the fix before the embargo ends. > > Of course. It's an agreement between the list members to not > disclose anything. Yes, but an agreement that cannot be legally enforced.