Dear Community Member,
the last time we updated the Xen Project Security Process, was 3 years ago (in March 2015): I think it is time to take stock, see whether what we have works and if there is scope for improvement. In the last 3 years I have had only positive feedback about the process, however more recently I had the odd conversation with community members on how we might improve things.
The Consultation Process
Rather than start a discussion with a concrete proposal or with nothing, I wanted to collect some data on pain points based on your input, and use this information to create a White Paper for further discussion.
If you want to participate, please send input to [hidden email] (please use the title “re: Xen Security Process Consultation”). You may use a public list, but if you do, CC me. If you reply to this mail, note that replies will *not* be published on xen-announce@
What information am I looking for?
What is working well for you and why?
What is not working well and why?
What could we improve and why?
If you raise an issue, please also state how painful the issue is for you now (on a scale of "a little", "moderately", "painful")
Examples of feedback I have received in the last year are items such as
This is not a conclusive list: it is just intended to get you thinking. There is also no restriction on who can provide information: feedback from *all* users on or off the pre-disclosure list is welcome.
Recent changes we have made informally
Note that we have made some changes within the framework of the security process.
1) Batching security issues: we have attempted to batch security issues for more than 6 months now. We always pre-disclose 2 weeks before public release in a batch, as required by our security process.
2) SUPPORT.MD: In addition, we took steps to become a CVE Numbering Authority. This has resulted in the creation of SUPPORT.MD. Some of the tooling related to SUPPORT.MD, such as generation of web pages similar to https://wiki.xenproject.org/wiki/Xen_Project_Release_Features, is still missing.
Looking forward you your feedback
Xen-announce mailing list
|Free forum by Nabble||Edit this page|