* [PATCH] Minor security policy text changes to avoid ambiguity @ 2019-03-01 13:55 Lars Kurth 2019-03-01 14:03 ` Andrew Cooper ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Lars Kurth @ 2019-03-01 13:55 UTC (permalink / raw) To: xen-devel; +Cc: Lars Kurth, committers [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: text/plain; charset=y, Size: 1935 bytes --] See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary for the repository. Signed-off-by: Lars Kurth <lars.kurth@citrix.com> CC: committers@xenproject.org --- security-policy.pandoc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security-policy.pandoc b/security-policy.pandoc index 8e07384..74d0d8b 100644 --- a/security-policy.pandoc +++ b/security-policy.pandoc @@ -214,8 +214,9 @@ List members are allowed to make available to their users only the following: - The planned disclosure date List members may, if (and only if) the Security Team grants permission, deploy -fixed versions during the embargo. Permission for deployment, and any -restrictions, will be stated in the embargoed advisory text. +fixed versions to their own public facing service during the embargo. Permission +for deployment, and any restrictions, will be stated in the embargoed advisory +text. The Security Team will normally permit such deployment, even for systems where VMs are managed or used by non-members of the predisclosure list. The Security @@ -232,6 +233,9 @@ information about the issue (as listed above). This applies whether the deployment occurs during the embargo (with permission - see above) or is planned for after the end of the embargo. +NB: Distribution of updated software is prohibited (except to other members of +the predisclosure list). + *NOTE:* Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.[]() @@ -408,6 +412,7 @@ Change History {#changelog} -------------- <div class="box-note"> +- **v3.22 March 1st 2019:** Minor policy text clarifications - **v3.21 Nov 19th 2018:** Added XCP-ng.org - **v3.20 June 14th 2018:** Added Star Lab - **v3.19 May 9th 2018:** Remove Google and Xen 3.4 stable tree maintainer -- 2.13.0 [-- Attachment #2: Type: text/plain, Size: 157 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] Minor security policy text changes to avoid ambiguity 2019-03-01 13:55 [PATCH] Minor security policy text changes to avoid ambiguity Lars Kurth @ 2019-03-01 14:03 ` Andrew Cooper 2019-03-01 14:11 ` George Dunlap 2019-03-01 14:48 ` Ian Jackson 2 siblings, 0 replies; 6+ messages in thread From: Andrew Cooper @ 2019-03-01 14:03 UTC (permalink / raw) To: Lars Kurth, xen-devel; +Cc: committers On 01/03/2019 13:55, Lars Kurth wrote: > See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary > for the repository. > > Signed-off-by: Lars Kurth <lars.kurth@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Minor security policy text changes to avoid ambiguity 2019-03-01 13:55 [PATCH] Minor security policy text changes to avoid ambiguity Lars Kurth 2019-03-01 14:03 ` Andrew Cooper @ 2019-03-01 14:11 ` George Dunlap 2019-03-01 14:48 ` Ian Jackson 2 siblings, 0 replies; 6+ messages in thread From: George Dunlap @ 2019-03-01 14:11 UTC (permalink / raw) To: Lars Kurth, xen-devel; +Cc: committers On 3/1/19 1:55 PM, Lars Kurth wrote: > See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary > for the repository. > > Signed-off-by: Lars Kurth <lars.kurth@citrix.com> > CC: committers@xenproject.org Acked-by: George Dunlap <george.dunlap@citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Minor security policy text changes to avoid ambiguity 2019-03-01 13:55 [PATCH] Minor security policy text changes to avoid ambiguity Lars Kurth 2019-03-01 14:03 ` Andrew Cooper 2019-03-01 14:11 ` George Dunlap @ 2019-03-01 14:48 ` Ian Jackson 2019-05-07 16:35 ` [Xen-devel] " George Dunlap 2 siblings, 1 reply; 6+ messages in thread From: Ian Jackson @ 2019-03-01 14:48 UTC (permalink / raw) To: xen-devel, committers Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"): > See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary > for the repository. I don't think in fact that there was previously any ambiguity. The text in the policy two paragraphs earlier explains in detail, and entirely explicitly and without any room for doubt, that distribution is prohibited. The misunderstanding arises through reading just the section on `deployment' out of context and then taking a wide reading of `deployment'. This is a common failure mode with any kind of document: the document is long or the reader is in a hurry or stressed, so they do not read all of it; they look for the part that seems to apply to them and misunderstand it, in haste. Also people tend to read what they want to hear. Adding more text far from the site of the misunderstanding does nothing to help this. Rather, it makes it worse: there is an antipattern in documents of this kind where every misunderstanding results in the addition of further repetitive text. The document then becomes longer, and reading the whole thing becomes harder and also less worthwhile. I think adding a small amount of text can be valuable, in important cases, if it is done right next to the site of the potential misunderstanding. In this case I think that means something more like the patch below. What do people think ? Thanks, Ian. commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Author: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri Mar 1 14:40:06 2019 +0000 Avoid misunderstanding of `deploy' diff --git a/security-policy.pandoc b/security-policy.pandoc index 8e07384..af285be 100644 --- a/security-policy.pandoc +++ b/security-policy.pandoc @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: - The assigned XSA number - The planned disclosure date List members may, if (and only if) the Security Team grants permission, deploy fixed versions {+on their own services+} during the embargo. {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+} Permission for deployment, and any restrictions, will be stated in the embargoed advisory text. The Security Team will normally permit such deployment, even for systems where VMs are managed or used by non-members of the predisclosure list. The Security From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri, 1 Mar 2019 14:40:06 +0000 Subject: [PATCH] Avoid misunderstanding of `deploy' --- security-policy.pandoc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/security-policy.pandoc b/security-policy.pandoc index 8e07384..af285be 100644 --- a/security-policy.pandoc +++ b/security-policy.pandoc @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: - The assigned XSA number - The planned disclosure date -List members may, if (and only if) the Security Team grants permission, deploy -fixed versions during the embargo. Permission for deployment, and any -restrictions, will be stated in the embargoed advisory text. +List members may, if (and only if) the Security Team grants +permission, deploy fixed versions on their own services during the +embargo. (NB: Distribution of fixes is, mostly, prohibited; see above.) +Permission for deployment, and any restrictions, will be stated in the +embargoed advisory text. The Security Team will normally permit such deployment, even for systems where VMs are managed or used by non-members of the predisclosure list. The Security -- 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] Minor security policy text changes to avoid ambiguity @ 2019-05-07 16:35 ` George Dunlap 0 siblings, 0 replies; 6+ messages in thread From: George Dunlap @ 2019-05-07 16:35 UTC (permalink / raw) To: Ian Jackson, xen-devel, committers On 3/1/19 2:48 PM, Ian Jackson wrote: > Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"): >> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary >> for the repository. > > I don't think in fact that there was previously any ambiguity. The > text in the policy two paragraphs earlier explains in detail, and > entirely explicitly and without any room for doubt, that distribution > is prohibited. > > The misunderstanding arises through reading just the section on > `deployment' out of context and then taking a wide reading of > `deployment'. > > This is a common failure mode with any kind of document: the document > is long or the reader is in a hurry or stressed, so they do not read > all of it; they look for the part that seems to apply to them and > misunderstand it, in haste. Also people tend to read what they want > to hear. > > Adding more text far from the site of the misunderstanding does > nothing to help this. Rather, it makes it worse: there is an > antipattern in documents of this kind where every misunderstanding > results in the addition of further repetitive text. The document then > becomes longer, and reading the whole thing becomes harder and also > less worthwhile. > > I think adding a small amount of text can be valuable, in important > cases, if it is done right next to the site of the potential > misunderstanding. In this case I think that means something more like > the patch below. > > What do people think ? > > Thanks, > Ian. > > > commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 > Author: Ian Jackson <ian.jackson@eu.citrix.com> > Date: Fri Mar 1 14:40:06 2019 +0000 > > Avoid misunderstanding of `deploy' > > diff --git a/security-policy.pandoc b/security-policy.pandoc > index 8e07384..af285be 100644 > --- a/security-policy.pandoc > +++ b/security-policy.pandoc > @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: > - The assigned XSA number > - The planned disclosure date > > List members may, if (and only if) the Security Team grants > permission, deploy fixed versions {+on their own services+} during the > embargo. {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+} > Permission for deployment, and any restrictions, will be stated in the > embargoed advisory text. > > The Security Team will normally permit such deployment, even for systems where > VMs are managed or used by non-members of the predisclosure list. The Security > > > > From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001 > From: Ian Jackson <ian.jackson@eu.citrix.com> > Date: Fri, 1 Mar 2019 14:40:06 +0000 > Subject: [PATCH] Avoid misunderstanding of `deploy' > > --- > security-policy.pandoc | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/security-policy.pandoc b/security-policy.pandoc > index 8e07384..af285be 100644 > --- a/security-policy.pandoc > +++ b/security-policy.pandoc > @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: > - The assigned XSA number > - The planned disclosure date > > -List members may, if (and only if) the Security Team grants permission, deploy > -fixed versions during the embargo. Permission for deployment, and any > -restrictions, will be stated in the embargoed advisory text. > +List members may, if (and only if) the Security Team grants > +permission, deploy fixed versions on their own services during the > +embargo. (NB: Distribution of fixes is, mostly, prohibited; see above.) > +Permission for deployment, and any restrictions, will be stated in the > +embargoed advisory text. This change looks good to me -- has it been committed yet? -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Xen-devel] [PATCH] Minor security policy text changes to avoid ambiguity @ 2019-05-07 16:35 ` George Dunlap 0 siblings, 0 replies; 6+ messages in thread From: George Dunlap @ 2019-05-07 16:35 UTC (permalink / raw) To: Ian Jackson, xen-devel, committers On 3/1/19 2:48 PM, Ian Jackson wrote: > Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid ambiguity"): >> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary >> for the repository. > > I don't think in fact that there was previously any ambiguity. The > text in the policy two paragraphs earlier explains in detail, and > entirely explicitly and without any room for doubt, that distribution > is prohibited. > > The misunderstanding arises through reading just the section on > `deployment' out of context and then taking a wide reading of > `deployment'. > > This is a common failure mode with any kind of document: the document > is long or the reader is in a hurry or stressed, so they do not read > all of it; they look for the part that seems to apply to them and > misunderstand it, in haste. Also people tend to read what they want > to hear. > > Adding more text far from the site of the misunderstanding does > nothing to help this. Rather, it makes it worse: there is an > antipattern in documents of this kind where every misunderstanding > results in the addition of further repetitive text. The document then > becomes longer, and reading the whole thing becomes harder and also > less worthwhile. > > I think adding a small amount of text can be valuable, in important > cases, if it is done right next to the site of the potential > misunderstanding. In this case I think that means something more like > the patch below. > > What do people think ? > > Thanks, > Ian. > > > commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 > Author: Ian Jackson <ian.jackson@eu.citrix.com> > Date: Fri Mar 1 14:40:06 2019 +0000 > > Avoid misunderstanding of `deploy' > > diff --git a/security-policy.pandoc b/security-policy.pandoc > index 8e07384..af285be 100644 > --- a/security-policy.pandoc > +++ b/security-policy.pandoc > @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: > - The assigned XSA number > - The planned disclosure date > > List members may, if (and only if) the Security Team grants > permission, deploy fixed versions {+on their own services+} during the > embargo. {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+} > Permission for deployment, and any restrictions, will be stated in the > embargoed advisory text. > > The Security Team will normally permit such deployment, even for systems where > VMs are managed or used by non-members of the predisclosure list. The Security > > > > From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001 > From: Ian Jackson <ian.jackson@eu.citrix.com> > Date: Fri, 1 Mar 2019 14:40:06 +0000 > Subject: [PATCH] Avoid misunderstanding of `deploy' > > --- > security-policy.pandoc | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/security-policy.pandoc b/security-policy.pandoc > index 8e07384..af285be 100644 > --- a/security-policy.pandoc > +++ b/security-policy.pandoc > @@ -213,9 +213,11 @@ List members are allowed to make available to their users only the following: > - The assigned XSA number > - The planned disclosure date > > -List members may, if (and only if) the Security Team grants permission, deploy > -fixed versions during the embargo. Permission for deployment, and any > -restrictions, will be stated in the embargoed advisory text. > +List members may, if (and only if) the Security Team grants > +permission, deploy fixed versions on their own services during the > +embargo. (NB: Distribution of fixes is, mostly, prohibited; see above.) > +Permission for deployment, and any restrictions, will be stated in the > +embargoed advisory text. This change looks good to me -- has it been committed yet? -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-05-07 16:35 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-01 13:55 [PATCH] Minor security policy text changes to avoid ambiguity Lars Kurth 2019-03-01 14:03 ` Andrew Cooper 2019-03-01 14:11 ` George Dunlap 2019-03-01 14:48 ` Ian Jackson 2019-05-07 16:35 ` George Dunlap 2019-05-07 16:35 ` [Xen-devel] " George Dunlap
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.