Fwd: [PRIVATE REPLY] Re: [PATCH] security-process.pandoc: Statement on issuing XSAs for older versions of Xen
14 views
Skip to first unread message
Daniel Smith
Dec 11, 2023, 1:17:39 PM12/11/23
to OpenXT Group
Please read below.
V/r,
Daniel P. Smith
Apertus Solutions, LLC
============ Forwarded message ============
From: George Dunlap
To: "Olivier Lambert", "Marek Marczykowski-Górecki", "Christopher Clark", "Daniel P. Smith"
Cc: "Xen Project Security Team"
Date: Mon, 11 Dec 2023 11:16:48 -0500
Subject: [PRIVATE REPLY] Re: [PATCH] security-process.pandoc: Statement on issuing XSAs for older versions of Xen
============ Forwarded message ============
> On Fri, Oct 27, 2023 at 3:26 PM George Dunlap george...@cloud.com> wrote:
> >
> > We recently had a situation where a security issue was discovered
> > which only affected versions of Xen out of security support from an
> > upstream perspective. However, many downstreams (including XenServer
> > and SUSE) still had supported products based on the versions affected.
> >
> > Specify what the security team will do in this situation in the
> > future. As always, the goal here is to be fair and helpful, without
> > adding to the workload of the security team. Inviting downstreams to
> > list versions and ranges, as well as expecting them to be involved in
> > the patch, gives organizations without representation in the security
> > team the opportunity to decide to engage in the security process. At
> > the same time, it puts he onus of determining which products and which
> > versions might be affected, as well as the core work of creating and
> > testing a patch, on downstreams.
> >
> > Signed-off-by: George Dunlap george...@cloud.com>
>
> Hey XCP-ng / QubesOS / OpenXT,
>
> This proposal was meant to benefit downstreams like you; SUSE and
> XenServer can already make sure products important to them get
> embargoes even for older versions, we just didn't want it to be unfair
> towards the other downstreams.
>
> If this is something your organization would actively use, then please
> give support / feedback. If you don't think you're interested at this
> time, just leave it, and I'll leave this one alone for now. The text
> is here, we can always bring it up later if someone becomes
> interested.
>
> (And don't feel bad about saying "not interested" -- I've cleared my
> conscience by making the offer, if you're not interested it's less
> work for me!)
>
> Peace,
> -George
>
V/r,
Daniel P. Smith
Apertus Solutions, LLC
============ Forwarded message ============
From: George Dunlap
To: "Olivier Lambert", "Marek Marczykowski-Górecki", "Christopher Clark", "Daniel P. Smith"
Cc: "Xen Project Security Team"
Date: Mon, 11 Dec 2023 11:16:48 -0500
Subject: [PRIVATE REPLY] Re: [PATCH] security-process.pandoc: Statement on issuing XSAs for older versions of Xen
============ Forwarded message ============
> On Fri, Oct 27, 2023 at 3:26 PM George Dunlap george...@cloud.com> wrote:
> >
> > We recently had a situation where a security issue was discovered
> > which only affected versions of Xen out of security support from an
> > upstream perspective. However, many downstreams (including XenServer
> > and SUSE) still had supported products based on the versions affected.
> >
> > Specify what the security team will do in this situation in the
> > future. As always, the goal here is to be fair and helpful, without
> > adding to the workload of the security team. Inviting downstreams to
> > list versions and ranges, as well as expecting them to be involved in
> > the patch, gives organizations without representation in the security
> > team the opportunity to decide to engage in the security process. At
> > the same time, it puts he onus of determining which products and which
> > versions might be affected, as well as the core work of creating and
> > testing a patch, on downstreams.
> >
> > Signed-off-by: George Dunlap george...@cloud.com>
>
> Hey XCP-ng / QubesOS / OpenXT,
>
> This proposal was meant to benefit downstreams like you; SUSE and
> XenServer can already make sure products important to them get
> embargoes even for older versions, we just didn't want it to be unfair
> towards the other downstreams.
>
> If this is something your organization would actively use, then please
> give support / feedback. If you don't think you're interested at this
> time, just leave it, and I'll leave this one alone for now. The text
> is here, we can always bring it up later if someone becomes
> interested.
>
> (And don't feel bad about saying "not interested" -- I've cleared my
> conscience by making the offer, if you're not interested it's less
> work for me!)
>
> Peace,
> -George
>
Reply all
Reply to author
Forward
0 new messages